DMZ best practices?
-
I’m currently using IPCop, and have 3 servers in the DMZ (Web, Mail gateway, and FTP). The DMZ interface is connected to a switch along with the 3 servers.
There is very little (if any) traffic among the three servers. Heavy traffic between our LAN and the three servers, and moderate traffic from the outside to the three servers.
I have plenty of physical interfaces available on the pfSense box (8), and could easily add another four. Are there any issues associated with a pfSense box having a large number of NICs?
Are there any advantages/disadvantages to using a separate physical interface for each server, rather than creating a “DMZ” network for all three servers similar to the IPCop configuration?
-
The forum search is your friend. You'll find answers to your NIC question in a number of threads (ISTR that there is a practical physical limit, but it's more than 4).
If you're really paranoid (or regularly under attack) then a separate interface per server isn't a bad thing. Otherwise a single DMZ is likely to be "good enough".
-
Thanks!
I was able to find a few instances where over 12 NICs were being used on a pfSense box, and I’m going to do a reload and see how my box works with 12.
I’m considering having each server on a separate physical interface not so much for security reasons, but in hopes for better performance. There is a lot of traffic from the inside to all three servers.
-
This approach isn't likely to give you more performance. If you treat your firewall as a switch, the bottleneck will be the bus speed at which your NICs are connected. This is unlikely to be faster than the backplane of a decent switch.
-
Having each on a seperate NIC provides more capapbility if ever do need more security.
I have 10 NICs here on my box and no problems, although I'm only using 4 of them. ::)Steve
Edit: Agreed that seperate interfaces will reduce the performance between the servers but will it increase the performance between lan and DMZ1-3? :-\
Edit: If running on this hardware?
Sun SunFire x4100 with 2x 2.4Ghz AMD dual core processors, 16GB Ram, and a RAID1 of 2 146GB SAS drives.
-
There is not a lot of traffic between the servers in the DMZ. If that were the case, I would suspect that having a single DMZ network connected to a switch would be the best approach. However, there is a lot of traffic between the LAN and the three servers.
I have given myself a few weeks to get the new box online, and I might try both configurations. Might even try trunking a pair of interfaces (link aggregation) to both the DMZ switch and the LAN switch. I really like all the options that pfSense offers. Although, all the options might get me into trouble!
Thanks again!
Mark