Tuesday, August 19, 2008

Never choose the obvious if there's a better choice....

Today I'm looking at network topography.

Looking at our list of services we want our server to provide, it's pretty obvious we need all the traffic to flow through our server. You can't do web filtering etc. without it.

My home network is pretty typical. I've got four desktop computers, a laptop and a Nintendo Wii. For network gear there's a typical cheap wireless router, a switch and a DSL modem provided by my ISP.

The wireless was bridged with the wired side. That way the wireless network and the desktops etc were all on the same subnet.

I'm comfortable that the combination of WPA encryption and below ground placement of the wireless router makes it unnecessary to segregate the wireless further.

So, why can't I just put our new home server right there where the IPCop box was? Well, we want it to serve files and maybe handle email as well. The common wisdom is your server shouldn't be your firewall. There's two reasons for that. One, the firewall is the first line of defense. It's most likely to be attacked first, and losing control of it shouldn't mean you've lost control of all your documents etc too. Secondly, the more stuff there is on your firewall, the more stuff the bad guys have to try and find a weakness in.

Note this is really one of the bigger flaws of the MS Small Business Server that our previous commenter pointed out - all your eggs are in one basket, and that basket is exposed to the internet.

OK, so if we can't put our server on the front lines, then why don't I put the wireless router after the modem in front of the server? Two strikes against that idea too.

One, the laptop is often used as a remote control for one or another of the desktops. If the wireless is a separate subnet, then I'm going to have to poke holes in firewalls etc. to make that possible, limiting our flexibility.

Second, that makes the whole network depend on that $30 router - and I have seen too many times where a cheap router is the source of intermittent issues and frequent lockups.

What else could I do? Well, we could put yet another box in front of our server after the modem. It would have to be a linux box or a quality router to avoid issues. But yet another computer is likely to fall afoul of rule zero :-) and it's hard on hydro too. Buying a quality router breaks rule one.

I must admit I was considering lowering my security standards. I thought I'd painted myself into a corner with this one. Then I started looking at that modem my DSL provider gave me....

It's a Gnet BB2060 - a pretty common aDSL box they hand out to everybody that's a customer. My ISP sets them up 'bridged' so that you run your PPPoE software on a router or PC and the box acts just as a modem. On the other hand, their competition has started handing out 'routers' that act as both the modem and router. They provide DHCP services etc on the LAN side, and do the authentication internally, so clients just run standard DHCP.

I dug up a manual for my modem on line (thanks Google!) and it turns out, as I suspected, it can function either as a bridged modem or a router/modem combo.

I'm not sure what my ISP would think about me doing this - and I'm not going to ask - but I have a very solid relationship with them and a spare modem I can borrow from work if I run into something really weird.

If your ISP is one of those multinationals you might want to think about what happens when you call with a service complaint and the modem doesn't work like it's supposed to on their phone support flowchart.

Now I know that modem is just a $30 box just like my own wireless router, but I have to depend on it anyway, so I'm hoping having it act as router isn't going to make it any less reliable. On the positive side, rebooting the modem is a standard troubleshooting step my wife is comfortable with and it's easily accessible (unlike that wireless router).

The next post will detail what I had to change (and what I was careful to leave alone)
I might even snag some screenshots.

No comments:

Post a Comment