On Tuesday 05 February 2002 09:23, Stefan Nauber wrote:
thanks for your replay. You advised me of not connecting the administrative network to the normal LAN. I understand that there is a security risk but this was, what I actually wanted to do. The idea was, that I wanted to administer the computers from my desktop without interference with the productive traffic.
Personally I think it's a good idea, and Dlink made some 4 port 100BaseT cards which were very useful for this sort of purpose. This kind of backend network should also use an ether switch if at all possible, they cost little more than hubs, and reduce eavesdropping possibilities even further. Furthermore using 4 port cards, additionally allows things like web server to communicate with backend databases or file servers using a seperate server network, at little extra cost (and co-located rackspace is cheaper without IP address or traffic allocation). The hosts in the DMZ, should not route packets between the networks, and should only permit admin access through the admin host 'bastion' on that network, and the administration network should not be trusted by that admin host, packet filtering should be in place. Any probing causing packets to be dropped, in that admin network should trigger some immediate, and heavy attention. Rob