[Techtalk] Network Layout (was ISP...)

[Raven, corporate courtesan]

Heya --

	A little belated, but...

Quoth Conor Daly (Sat, May 11, 2002 at 09:02:33PM +0100):
> On Thu, May 09, 2002 at 02:25:27PM +0800 or so it is rumoured hereabouts, 
> Jacqueline McNally thought:
> > 
> > Bridging vs routing. Please could someone explain the impact of this if I 
> > want to host a domain on the offered static IP address and still have 
> > access to a number of other machines.
>  
> Don't know the difference between them myself but I use prot forwarding to
> access individual machines behind my firewall.

	Bridging vs. routing won't really affect your connectivity to
that static IP.  It's just a matter of how many other machines you're
sharing your local network with.

	From the perspective of the ISP, if you're on a bridged line,
you are essentially sharing a local layer-2 network with other
customers.  It's like a little LAN in the ISP.  So your gateway and any
other unfirewalled devices you put up there will appear to the ISP as if
they're on the same network as Joe Next Door.

	This is a lot cheaper for the ISP, but makes following good
security practices on your part more essential, since other devices on
your same LAN may be able to see more of your traffic (or get to see
it).  ARP spoofing and things like that may work, depending on the
network layout.

	Routing means that the division between your network and your
neighbor's is done at Layer 3 rather than Layer 2.  You will generally
have your own little IP block (like a /29 or /30) rather than being part
of one big /24 or so.  But any sort of attacks against your network that
depend on you sharing a LAN won't work across a routed network.

	The difference in price between a bridged topology and a routed
one is pretty much you paying for the additional security of a separate
IP network.  (Not just vaporware costs there -- the actual hardware to
do routing costs more than the actual hardware to do switching.)  There
are many people who exist on bridged circuits quite happily and don't
get hacked.  My home DSL is a bridged circuit, and I'm not overly
worried about that.  (Of course, I also have three firewalls at home and
tend to use encrypted protocols whenever possible.)  Most home broadband
(most DSL, all cable modems that I know of) is bridged rather than
routed, simply because it's so much cheaper. 

> this puts the web server behind the firewall so, in theory, you don't have
> to do any more securing since you've already done that at the firewall.
> however, you _are_ allowing untrusted traffic onto your internal network

	Generally a bad idea.  I'd suggest the DMZ-like setup that Conor
put forth.  That way if your Web server gets hacked, they don't
necessarily get all your local network boxes too.
  
> This way, no untrusted traffic is allowed into your network so that's
> presumably secure.  However, the web server is exposed to the internet and
> so must itself be properly secured (Raven'll probably give out to me for
> saying you don't need to secure the box if it's behind a firewall and
> properly so).

	Heh.  Yeah.  Defense in depth is good; that way if they use
firewall-penetrating tactics, they still won't be able to get in.  You
should lock down any box you're planning to put on the Net, firewall or
no.  Also, you can construct your firewall rules so that only certain
ports are allowed to the Linux web server.  (Still a good idea to lock
down that box, though.)

Predictable,
Raven
  
"The Eye is mean. The Eye is red.
 He rules nine Riders. They are dead."
  -- Gandalf, from "Green Eggs and Lembas", 
     http://www.tolkienonline.com/docs/4511.html