On May 5, 7:30 pm, markfaine <mark.fa...@gmail.com> wrote:
> The data center in charge of our network has a rule against dual-homed
> systems on the network.

Which network?

> Apparently this can be used to bypass the
> firewall. However, I think I have a situation where it is necessary
> and the risk is negligible but I just thought I'd ask the experts
> first.
>
> Two firewalls, we will call them public and private
> Two networks, also public and private.
>
> The local server has three interfaces and is on the public network
> behind the public firewall.
>

So it's already triple-homed in contravention of the security policy?

> eth0 -> public (192.x.x.x)
> eth1-> backup network (172.16.x.x)
> eth2-> backend local switch (10.0.0.x)
>

WTF is backup network? And why do you a seperate physical *and* ip
subnet for backup? Never heard of bonded interfaces? NetRAIN? Router
failover?
'Back-end local switch' is this another network?

> The server that we need to access is on the private network behind the
> private firewall.
>

They can't talk to each other if they're both acting as servers - I
assume you mean that the previous box acts as a client?

> eth0 -> private
> eth1 -> backup network
>

Is this the same backup network as the previous box or a back up for
the private network?

From your initial description your network looks like this:

[public network: [PublicServer-client]--->[Public_firewall]]

[Private network [RemoteServer]-->[PrivateFirewall]]

[backend local switch [PublicServer]]

[backup public network [PublicServer]]

[backup private network [RemoteServer]]


You don't say how these networks are connected.

> We don't want to have to go out and back in because this causes too
> much performance degradation.
>

Which implies that there is some connection there (and yet another
network called 'out').

[out]

(2 hosts, 6 networks!)

> I propose that we add an interface to the remote server, making it:
>
> eth0 -> private
> eth1 -> backup network
> eth2 -> our back-end network.
>
> What I need to know is that this can be secured. That, solely from a
> security standpoint, I would be justified in proposing this solution.
>

I've totally lost track of how many networks there are and how they
are currently connected. But if your proposal is valid you don't need
another NIC, real or virtual - just a route. I suppose it might be
more appropriate to create a tunnel initiated at the server end of the
connection you really want to create. But without a clear view of how
your networks are configured currrently and the functionality/policy
on the firewalls its impossible to say.

C.