Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: tlicht on April 24, 2005, 11:12:35 AM
-
Well, the subject line pretty well sums it up....
1. Traditional LAN - WAN config:
Firewall <-> Lan swithc <=> SME and the workstations
2. Firewall-SME in series:
Firewall <-> SME(two NICs) <-> LAN switch <=> workstations
Would 2 be of any advantage? It certainly would put a bigger load on SME....
...if the option of using SME also for firewalling is not considered....
-
the advantage is that you could begin to use your SME for firewall services such as dansguardian, blocking access to internet by workstation/ip, etc.
Granted it's a little more work but it would still get the job done.
i can already hear echos in my head of other people asking "if you set it up this way, why have the firewall in front of the sme in the first place?"
-
.. we all have stylistic and technical preferences nd this setup happens to be mine, reasons:
a) double NATing the system makes it just a touch harder to get in to the inside of my network
b) using a good router infront of SME that handle IPSEC means I can provide VPN endpoints without messing with the SME box
c) port forwarding only those ports need to see the SME box reduces the load on the SME and minimises its exposure profile
d) allows me to provide outbound filtering very easily
I like SME and the way it does its stuff but I figure a multi layered approach to security is valuable. It adds a little more complexity to the site but this is trivial in this context.
I have not had a problem with getting anything to work using this setup tho I never configure for P2P, VOIP, IM.
HTH
-
i don't disagree with you and have said the same before http://forums.contribs.org/index.php?topic=26613.msg109010#msg109010 .
I actually have the same setup. I just wanted to hear tlicht's reasoning.