Sat, Jul 23 2005 13:10
bradley
Okay let's duke it out... One nic or two?
You heard me... we already had the Terminal server argument done to death..let's have the one nic or two religious argument.
I like two nics. I like a separation from the internal and external network. I like then having another small router on the outside for an additional onion layer. I'm not a fan of a one nic, then external hardware firewall setup. I can however, understand that folks consider this the more logical setup after coming from peer to peer. I mean that's what they had in peer networks right? Then you have all the confusion about this thingy called DNS and why does the router need to stop doing DNS and DHCP when it was doing it just fine before?
I've said it before on the blog that SBS and Active Directory [aka glue] works better when the SBS does the DHCP. Why? Because active directory would just logically handle services better on it's own platform than reaching out to ...say an external box. The movement from peer to domain catches a lot of folks off guard because no longer do they point the DNS to the ISP's DNS but rather you now look inward and just use the ISP's DNS as forwarders in the Connect to Internet Wizard. Changing from a setup that works...to one that is a bit of a hard one to get a handle on can be a hassle.
I'm going to go out on a limb here and say something controversial......[yeah, like that's a surprise] I think the important thing is not necessarily one nic or two [even though I still would strongly argue for two nics and a RRAS+router or ISA+router], but rather that whatever firewall you pick that you monitor it and KNOW it.
One of the annoying things right now to me on ISA 2004 is that I'm not quite confortable with it and don't quite have the same level of knowledge of it as I did ISA 2000. But I must say that what I like about it [and actually everything on SBS is in this category], because it is sitting on a box that I've turned on monitoring [or SBS's wizards have] and I've turned on it's reporting... I'm LOOKING at it. People say that one of the problems with SBS is that 'it's all your eggs in one basket' but.... my view is that it's a basket that because of the monitoring tools... I'm looking at it a heck of a lot more than my member server. If I had services and more redundancies, I don't have the monitoring in place on those redundant places [lord knows I don't on my member server which is something I need to fix]. I feel that BECAUSE it's all in one basket that I really pay attention to it much better than I would if it's services were strung out on several servers. Call me crazy but I think... I feel... better about it because my 'attack surface' ...my 'threat model' is one that I monitor a lot more because of the SBS's monitoring emails that shove that data in my face.
In think the important thing isn't necessarily one nic or two...but rather the age old rule in protection your assets “KNOW THY SYSTEMS”. If you don't know..don't patch..don't understand...don't monitor that firewall...don't watch the log files...... I don't think it matters a twit whether it's one nic or two.
So..let's have at is [and yes sorry I know the Captcha spam filter barfs a lot these days when you go to post back on the blog]...post your comments... one nic or two...and why do you choose that? What is it about what you choose that makes it feel right to you?
Filed under: Security
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")