Topic: E-Smith Security

[Stone Linton]

I've currently got a T1 coming in . . . it goes to my CSU/DSU router . . . then to a passive 8-port hub.  I've got a block of eight IP addresses, six usable.  My firewall, OpenBSD, is assigned one of the six addresses and plugs in to the hub.  Currently I've got some client workstations that use the public IP's and I move the associated patch cable from the internal switch to the 8-port hub . . . giving them direct connections to the Internet . . . and I've got a video conference system connected directly to the Internet.  My switch and LAN is behind the firewall.

I want to put an E-Smith box with two NICs with a public IP on the hub and plug the second NIC in to my switch.  I want to do this so that I can connect to the E-smith box from inside my LAN and move www and ftp files directly to the i-bays.

What security risks does this present?  What alternatives exsit?  I considered using the E-Smith box with only one NIC and using a VPN to connect and transfer files too, but don't know the performance hit I'll take going through my firewall.

Suggestions?

[Dan G.]

It doesn't look like you need too many alternatives --- you have a very good package for your task in SME.  In server & gateway mode, it will do precisely what you need it to do.  The "gateway" functionality will be surplus capability if you don't use it as such, but won't cause any problems.  Since your internal hosts already go out via the BSD box, you don't need an additional gateway --- but it could be used as your primary gateway device should the BSD box ever fail or need to be taken down for maintenance.  Simply configure internal hosts to use the internal address of the SME box as their default gateway, and out they go.

All of the security designed into the SME package is adequate for doing what you need.

Dan

[Stone Linton]

What do I need to do the prevent any routing between LAN and WAN segments?