On May 6, 8:07 am, "C." <colin.mckin...@gmail.com> wrote:
> On May 5, 7:30 pm, markfaine <mark.fa...@gmail.com> wrote:
>
> > The data center in charge of our network has a rule against dual-homed
> > systems on the network.
>
> Which network?
>
> > Apparently this can be used to bypass the
> > firewall. However, I think I have a situation where it is necessary
> > and the risk is negligible but I just thought I'd ask the experts
> > first.
>
> > Two firewalls, we will call them public and private
> > Two networks, also public and private.
>
> > The local server has three interfaces and is on the public network
> > behind the public firewall.
>
> So it's already triple-homed in contravention of the security policy?
>
> > eth0 -> public (192.x.x.x)
> > eth1-> backup network (172.16.x.x)
> > eth2-> backend local switch (10.0.0.x)
>
> WTF is backup network? And why do you a seperate physical *and* ip
> subnet for backup? Never heard of bonded interfaces? NetRAIN? Router
> failover?
> 'Back-end local switch' is this another network?
>
> > The server that we need to access is on the private network behind the
> > private firewall.
>
> They can't talk to each other if they're both acting as servers - I
> assume you mean that the previous box acts as a client?
>
> > eth0 -> private
> > eth1 -> backup network
>
> Is this the same backup network as the previous box or a back up for
> the private network?
>
> From your initial description your network looks like this:
>
> [public network: [PublicServer-client]--->[Public_firewall]]
>
> [Private network [RemoteServer]-->[PrivateFirewall]]
>
> [backend local switch [PublicServer]]
>
> [backup public network [PublicServer]]
>
> [backup private network [RemoteServer]]
>
> You don't say how these networks are connected.
>
> > We don't want to have to go out and back in because this causes too
> > much performance degradation.
>
> Which implies that there is some connection there (and yet another
> network called 'out').
>
> [out]
>
> (2 hosts, 6 networks!)
>
> > I propose that we add an interface to the remote server, making it:
>
> > eth0 -> private
> > eth1 -> backup network
> > eth2 -> our back-end network.
>
> > What I need to know is that this can be secured. That, solely from a
> > security standpoint, I would be justified in proposing this solution.
>
> I've totally lost track of how many networks there are and how they
> are currently connected. But if your proposal is valid you don't need
> another NIC, real or virtual - just a route. I suppose it might be
> more appropriate to create a tunnel initiated at the server end of the
> connection you really want to create. But without a clear view of how
> your networks are configured currrently and the functionality/policy
> on the firewalls its impossible to say.
>
> C.

Forgive me, I am not a network engineer and didn't post the question
to be berated for my lack of knowledge of the subject.

Regardless, I think you have answered my question.

-Mark