[plug] SOHO security and multiple LANs

[W.Kenworthy]

This doesnt sound very efficient or seem to give any advantages (the
separation you are trying to make seems useless - all machines have both
nodes from your description).  Worse, one compromised machine gets to
your secure network, and essentially all machines are exposed via the
insecure connections.  It is better to minimise the exposure area, not
make it multiple machines wide.

Use a switch, a single network and monmotha or shorewall on a gateway
machine between the LAN and the ADSL modem (modify it to make it
function the way you want).  That way traffic you want local stays
local, and only outside traffic is routed in/out.  If you need internet
facing services, use a DMZ.  Exposure to internet traffic is much more
managable this way which is why its a very common configuration.

Lastly, one run of cable to each machine will be cheaper.

BillK

On Mon, 2005-11-21 at 14:50 +0800, Chris Caston wrote:
> Hello,
> 
> I'm interested in comments on the following scheme for a SOHO setup.
> There is an ADSL modem/router dishing out IPs on 192.168.1.x and each
> machine is plugged into this via cat5.
>  
> Each machine also has a second nic with the IP statically assigned in
> the range of 10.1.1.x. This is for the local LAN and internal (unexposed
> to the internet) servers (eg file servers and local VOIP PABX) and are
> all connected via a 16 port switch.
> 
> Each machine also has a software firewall. I won't go into details right
> now but the 192.168.1.x LAN is treated with much more suspicion than the
> 10.1.1.x LAN. 
> 
> If a interface on the 10.1.1.x LAN starts sending out strange traffic it
> may be blocked.
> 
> Comments?
> 
> It's not a real implementation so if you ask me for more details I will
> imagine them up for you ;)
> 
> regards,
> 
> Chris
> 
>  
> 
> 
> 
> 
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au