Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Public IP advice...

Status
Not open for further replies.
MattWray

MattWray

Technical User
Nov 2, 2001
2,332
0
0
US
Our office has 5 public IPs. Currently we use only 1 on our router and all internal IPs are private. I have VPN traffic forwarded for that IP to a VPN server. I am in the midst of setting up my first web server and here's where I need some advice. Would it be sufficient to simply forward port 80 to the web server with an internal IP or should I set it up in the DMZ with a public IP itself? I wasn't sure if having the VPN and Web traffic with the same IP would be troublesome or if the router should be able to handle it ok. Pros and Cons are welcome... Matt Wray
CCNA, MCP
[alien]
 
Sort by date Sort by votes
You shouldn't have any trouble having the VPN and web use the same IP. There is no traffic difference between using the same or separate IP's. Each of those services use different ports, so they will be perfectly distinct if you do port forwarding. I'd recommend keeping your configuration as simple as possible by not using the DMZ, unless you want to segregate that system and its services from the rest of your internal hosts for security reasons.

ShackDaddy
 
Upvote 0 Downvote
"segregate that system and its services from the rest of your internal hosts for security reasons"

Exactly. If the web server is exposed then anything "out there" is now "in here." The risk is tremendous particularly if you're using IIS.

Once you expose the server you will find it being probed CONSTANTLY with attempts being made to access the system. Compromise of any security system is not a matter of if, but when and, once compromised, every other system on your network becomes a target for attack.

If the DMZ can be implemented with minimal additional cost and management and does not interfere with your WEB apps, I would recommend doing so.

However,

In the end you must make the decision based on risk reward criteria.
What is the risk of attack
What is the probability of a successful attack
What is the cost of a successful attack
What is the cost of the additional security (both in dollars and manpower).
 
Upvote 0 Downvote
Thanks for the pointers guys! One more question. With the server in my DMZ, the setup would be something like this: DSL router-> web server
-> server as network router with NAT-> network
If I added another small DSL router with NAT before my network router server, do you think this would provide good security? Matt Wray
CCNA, MCP
[alien]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
190
mangentle
mangentle
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
63
MarkSweetland
MarkSweetland
evr72
  • Locked
  • Question
Wundows Server 2003 DNS can resolve names but not ip addresses
Replies
0
Views
36
evr72
evr72
KatzEye1
  • Locked
  • Question
RD IP Virtualization
Replies
0
Views
18
KatzEye1
KatzEye1
kjv1611
  • Locked
  • Question
New Client Picks Up Old Client IP Address, Both now Share?
Replies
4
Views
72
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top