General discussion

Locked

Duel-homed

By jswingle ·
I have two networks setup, one is using the 2 NIC system along with proxy.
I tested it with Shields up (https://grc.com/x/ne.dll?bh0bkyd2) and it is running in ?full stealth mode?.

The other is not setup for proxy yet, it will have about 6 usersaccessing the Internet, the server is a Dell 450 p3 duel processor, 256 mb of ram and running Platinum (our fanatical software), Exchange, and no other software.

Which is the better way of setting up proxy, by using two NIC?s or purchasing a second computer and running it separate from the server?
Cost is not an issue, security and performance is.

I have been told that using a second computer is much more secure than the duel-homed method, is this true?
Microsoft seems to support the duel-home system.


Thanks,
Jerry

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Duel-homed

by Don Christner In reply to Duel-homed

We have run both ways, and the most secured seemed to be the dual-homed method. Since you are running in full stealth mode, even if someone scans your IP addresses, they still will not get a response. Therefore, you don't exist, you can't get muchsafer than that. MS has always been soft on security, but dual-homed has been good for us.

Don

Collapse -

Duel-homed

by jswingle In reply to Duel-homed

Poster rated this answer

Collapse -

Duel-homed

by mark_lt In reply to Duel-homed

Why dont you just purchase a small P2 workstation, add a second nic and run proxy off that, the way I have it set up is aas secure as MSproxy gets (i think) I have nic1 with a legal internet IP, nic2 with a 192.168.*.* and my local network is on a completly diff network ID, using our router (lmhosts will suffice + some static routes) to make the connection from the lan to the proxy. then run nothing else on Proxy.

Collapse -

Duel-homed

by jswingle In reply to Duel-homed

Poster rated this answer

Collapse -

Duel-homed

by dlw6 In reply to Duel-homed

Ouch. I recommend two computers if you can afford it.

Reason 1: Performance. I had a dual-P3-450 firewall with 512 MB PC100 RAM, and the firewall was still adding a 300-500 ms delay in forwarding packets (and I hadn't even told the firewall toscreen the traffic yet). Meanwhile, the single-processor P3-450 Exchange server w/ 128 MB PC100 RAM was doing okay with 25 accounts. Proxy software isn't that different from firewall, as far as what it's doing, so I'd expect similar performance challenges.

Reason 2: Security. Your proxy is protecting your intranet, and has to be picky about what traffic to allow in. Meanwhile, your Exchange server is *supposed* to talk to everyone using a variety of protocols. With one machine, the Exchange part is unprotected by the proxy, and any Denial of Service attack on either the Exchange services or the Proxy services means you lose both.

Collapse -

Duel-homed

by jswingle In reply to Duel-homed

Poster rated this answer

Collapse -

Duel-homed

by Stoop In reply to Duel-homed

The Best solution security wise is to install it on a seperate machine that is not a BDC. Make it a member server. As well, if cost is no issue, but security is, Use a "Good" firewall. Ms Proxy is not nearly as secure as say Raptor firewall. Raptor does much better security logging, and this is just as important as having the door closed.

Collapse -

Duel-homed

by jswingle In reply to Duel-homed

Poster rated this answer

Collapse -

Duel-homed

by curlergirl In reply to Duel-homed

Far be it from me to trounce on Microsoft's toes, but if you only have 6 users on a separate network, there's a really easy and relatively cheap way to have a "full-stealth" system. Get a router that is NAT-capable and use private internal IP addresses (192.168.x.x or 10.x.x.x). This is known as the "poor man's firewall." You don't even need Proxy Server unless there are other reasons for it - i.e., need to use some sort of access control, logging of connections, etc., etc. With only 6 users I'd doubt you really need all that. I have a similar setup in my office with four users, and Shields Up tests it as completely "stealthy". Just a suggestion, though. I do use Proxy on other networks, and my preferred method is a separate server that is dual-homed - i.e., similar to what you're already doing only it's on a separate server. This is a bit more secure and also improves performance. Using a separate router inbetween instead of dual-homed might increase security a tiny bit, butI don't think it's really necessary. Hope this helps!

Collapse -

Duel-homed

by jswingle In reply to Duel-homed

Poster rated this answer

Back to Windows Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums