I have two hardwired ethernet ports on my computer I am attempting to use for a web-server.
This is the proposed setup:
Ethernet Card “A” connects on 192.168.1.200, will be internal (LAN) use to connect to local network only.
Ethernet Card “B” connects on 192.168.1.210, will be for external (WAN) connection, used by HTTP server and FTP servers to support hosting my personal website.
NIC “A” will be the protected LAN link to our home network for connection to our file server and other resources needing to be secure from WAN access (fire walled). The NIC “B” connection will be for WAN access to host our website, FTP access and our media server. The thought is that traffic on one card will not be viewable by the other, setting up a secure division between LAN and WAN areas. Am I better off trying to use Apache to host the website off the same NIC as the LAN connection? I have been told by some IT types that it would be a bad idea and I should set up two connections, just having one could open a gateway to our LAN network.
I have the ability to assign either card to DMZ, thru the router as needed. I am not finding much information on setting up two NIC’s to work in the same machine. Am wondering if I am over thinking it and adding unnecessary complications.
I don’t know if you this would be an over do, but if you set CARD A for LAN and in the firewall you set this in the Firewall as Internal there will be only local access on it. Card B will be set for WAN and as External Zone in firewall. This way I guess you delimited physically and with the Firewall the traffic and the boundaries of your networks. I think this method is more secure than using only one card. With only one card I’m just thinking a hacker would try to attempt to find a weakness in your security as he knows on which ip to find you and could try to guess the ports which you are using for the other components of the web servers. That’s what I’m thinking and I would like to hear what other more experienced members would have to say.
Am trying to set up Apache 2 and ISPConfig 3 to use my box (Server2) card B for the purpose of hosting and serving as FTP to web clients. Will not be hosting more than 5 websites total (family sites, non-commercial) with media sharing using FTP or Cloud access to 3tb hard drive mounted in server as sdb. Right now I am having troubles getting ISPConfig to work correctly, but Apache2 is up and running both on HTTP and HTTPS access. I plan on using network card A to remotely manage the server from my Office Computer, or via Notebook Computer if necessary. Servers are co-located, but in basement, Office is on third floor.
Server2 Card A - known in the system as enp3s0 is using 192.168.1.200/24 and is connected to my home/office LAN for remote management.
Server2 Card B - known in the system as enp1s5 is using 192.168.2.210/24 and is fully open to WAN access (DMZ at router) for server, and media access.
ISP -> 1000bT 5 port managed switch -> Router(NAT)1 -> 1000bT 24 port Switch1 -> Card A for workgroup computers, and printers. Pointing to 192.168.1.1 with subnet at 255.255.255.0 for private LAN (home, and home office).
ISP -> 1000bT 5 port managed switch -> Router(NAT)2 -> 1000bT 8 port Switch2 -> Card B for servers and media devices. Static IP assignment per server pointing to 192.168.2.1 with subnet at 255.255.255.0 for second private LAN (media servers, websites and FTP host).
First and most critical, you didn’t describe but if you’re using the default Class C subnet mask, your WAN and LAN networks are using the exact same network address spaces, causing potential routing problems and possibly causing network security issues.
Your physical NICs should be connected to different physical network segments, and maybe they are. If not, then you’re causing additional problems connecting 2 NICs (which will of course have different MAC addresses) to the same physical network, so you machine would be known by same hostname(s) and machine name(s) but different machine addresses (MAC addresses). Binding NICs is another scenario I won’t get into unless that is what you might attempt to do.
Adhere to the KISS principle.
If you wish to set up a “critical node” whereby you can manage connections between the Internet and your LAN, you can set your box up as a router and DG for your LAN.
But, if you’re managing network access to the Internet, network security and services for your LAN elsewhere and only want to set up a webserver, then you only need one NIC and then make a decision to deploy in your LAN, in a DMZ or directly exposed (WAN). Whichever of those you choose then also determines how you configure routing and name services.
The only exception to the above I can think of is a special configuration using “split brain DNS” when you do configure separate LAN and WAN addresses for a resource like a website, but that is complex and is generally unnecessary.
Thank you - just what I needed to hear. Various efforts to “split” or divide the access to the machine are not working as expected, so I may default back to a single network card, then keep one for a “spare” in case the hardware goes down. Both are built into the motherboard backplane and can been managed in BIOS/CMOS settings.
UPDATE: Contacted my ISP (Frontier) and they are sending me a new wireless N router with gigabit ports. This may present a new way to consolidate my topology and eliminate some attached equipment (lower my power bill)…
Proposal:
FiOS Router port 1 -> 16 port switch connected to Home / Home Office network (private IP 192.168.1.2-192.168.1.254 subnet 255.255.255.0) secured at workstations and NAT firewall in place.
FiOS Router port 2 -> 8 port switch for web host, cloud service, FTP servers. (two physical machines - File (Cloud) server is “LinuxServer1” with Web server and FTP running on “LinuxServer2”.
The goal is to have the Home / Home Office network secured from access by the server network in case web host, cloud server or FTP server is compromised. I am not strong on subnet theory, would like to keep it simple, but secure if possible. I will need to set up remote (SSH?) access to both servers for administrative purposes, both from home / home office LAN and remote (off site) connections.
What is the best / KISS method to accomplish this? Additional router hardware or Subnet masking?
Your new router will probably support a DMZ. Just place your webserver in the DMZ of your router. Exact details will depend on exactly how the router configures the DMZ and port or IP forwarding.
If I set DMZ to 192.168.1.210 (webserver), would a office computer at 192.168.1.25 be vulnerable to attack if the webserver was compromised? This is what I am trying to avoid.
Probably depends on what device is being used to set up your DMZ and its capabilities.
One important consideration is whether your DMZ is its own physical NIC or a virtual creation (ie either one or two physical NICs). If the DMZ is its own physical NIC, then the possibility exists that routing and isolation <might> be possible using MAC addressing.
I can’t remember ever when a DMZ had the same address space as the LAN, I don’t know if there is a good reason to do so.
I have configured a DMZ as its own address space and also with the same address space as the WAN, though. The former is a fairly standard configuration where you forward ports (either PAT or NAT) from the WAN to the DMZ, and this makes sense because the web server usually faces the public interface. When the web server is configured with a “real” public address, then the webserver of course is configured with the same address space as the WAN.
If you want “protected” access to your web server (as opposed to public access) there are a few configurations…
Any physical NIC interface can be configured with multiple IP addresses, each IP address typically in a different address space.
You can expose the access port publicly, but then it must be secured. This may also require a router or interface that supports hairpin connections.
You can configure a “knock” when you poke a port and the server then initiates a “return call” main connection back to you (ie does not accept inbound ssh/vpn/other connections)
There is also a configuration similar to what you describe (the webserver is in the LAN zone) implemented by Microsoft ISA server. The idea is that the webserver has easy and direct access from the other hosts in the LAN, but is exposed to the public Internet only through pinholes, ie forwarding specific ports like 80/443. So, no traditional DMZ. But it is reasonably secure, but you need to understand the downside to such easy access from the LAN and of course that is the easy access from the LAN. If the webserver were compromised in some way, there is no barrier preventing discovery and potential further exploit to other LAN hosts… But in that case if in a tiny network you can design further security in depth by tightening up Host FW configurations, running IPS, etc.
So, like I described before… It all starts with the details of the FW you’re using. If there is an official guide to your device or software, follow it to avoid issues and test afterwards.
Good information… I have two physical NICs installed, both can be tied to the FiOS router on separate switch ports. It has both DMZ and port forward capabilities and MAC filtering… Would setting up the web server tied to one of the two NICs and the other for remote access? I have not been able to find a clear answer on what steps are necessary to “divide” activities across two NIC in one system.
FiOS Router (MI424WR-GEN3I) that is connected on LAN1 to a 16port 1kBaseT switch, to home and home / office computers, notebooks, tablets, printers and media devices. I can attach the web server (LinuxServer2) to either the router directly (LAN2) or to an open port on the switch. Either of the two installed NICs on LinuxServer2 can be connected, or both if necessary.
If I connect both NIC cards to the switch, they will pull in 192.168.1.XXX addresses on DHCP. I can also assign static IP addressing to either or both if needed. Additional hardware (router, switch) can be added if necessary.
Questions:
Would it be better (more secure) to have one NIC set for LAN access (normal network access) and the other for DMZ / Port Forwarding.
Would it make sense to use subnetting to break up or divide the LAN into normal / server branches?
If subnetting is employed, would LAN A (home / office) be able to communicate (SSH / Telnet) to the servers on LAN B?
Although I’ve often seen this, it provides an alternate path into your network bypassing the path all normal traffic takes in and out of your network, so can be a serious security issue. Should not be recommended. If the second NIC is used in this way, it should be a very temporary connection which is physically disconnected when not in use.
It can be done. Partitioning a larger network is a common practice to limit traffic and visibility to unneeded parts of the network. This is a basic network architecture consideration, and the answer would be based on your requirements and objectives. The downside can be that some things will also make your network more complex and difficult to maintain.
Partitioning a network by setting up different networks (and possibly subnets) typically is done by deploying routers (either appliances or machines configured as routers) that manage routing tables that enable traffic to discover and flow from one network to another.
Getting back to your original question, in a smaller network partitioning networks is usually considered overkill when you have very few machines (particularly servers). You only need to configure the FW router from your ISP for basic security.
Have installed OpenSUSE on LinuxServer2, opened ports in firewall to the server IP address (80, 8080) and have firewall running in ISPConfig with updates applied to secure system. Have ClamAV and other malware tools running. Have tested server for open ports, closed ones not in use.
Should be good to go for now, will condisder moving to separate (second) router in near future. Have second NIC card disabled, will use as back up to first in case of hardware failure.