Dual Nic vs. Single Nic

Discussion in 'Windows Small Business Server' started by Richard K, Nov 12, 2007.

  1. Richard K

    Richard K Guest

    I have an SBS 2003 standard machine (no isa) and I can configure it with a
    single nic or dual nic configuration. I can also put a simple router on my
    front end between dsl and server that will do simple NAT and specific port
    forwarding. What would you do to configure the server and more importantly
    what are the pros and cons of a single vs. dual nic configuration?

    Thanks!

    -Richard
     
    Richard K, Nov 12, 2007
    #1
    1. Advertisements

  2. Hi Richard:

    With a simple NAT router you should use the two nic config. SBS has its own
    internal firwall that will shield it from much of the rubbish that the bad
    guys try from outside your network. Only if you have a true "firewall"
    between your SBS and the inet should you use a single nic config.
     
    Larry Struckmeyer, Nov 12, 2007
    #2
    1. Advertisements

  3. A two NIC SBS (no ISA) is just a NAT router, nothing magic about it.

    I just fired up my two NIC (no ISA) VM to check, Windows Firewall is
    disabled (as I expected but had to check). RRAS NAT looks after the whole
    two NIC process. RRAS is not a firewall.

    You get 'shielded from outside' courtesy of not having processes listening
    for traffic (IP:pORT), nothing more. A simple NAT router in front of either
    (1 or 2) simply allows control of what hits the server, there is very little
    functional difference between RRAS NAT and NAT provided by a simple device.

    There is a (very) minor argument about 'layers' of security (the onion) and
    NAT in front of SBS with or without ISA. An exploit must both traverse the
    router and SBS. It has been more than a few years since I considered such
    anything but barely mentionable, happened after I attended a security class.
    The main purposes of such a device should be considered as a) a stable IP
    interface and b) noise stopper.

    If you don't have a firewall no externally initiated connection to any
    server should be possible. (including SMTP, let alone HTTwhatever)
     
    SuperGumby [SBS MVP], Nov 12, 2007
    #3
  4. Richard K

    Richard K Guest

    Thanks for the info. The only reason I am asking these questions is to
    continue to gain knowledge. To me whether you run a single vs. dual nic I
    always like to have even a basic router on the front end for the simple
    reason of controlling port traffic. I never like to hook an SBS server
    directly to DSL or cable. I also agree with that router you would be better
    served with more firewall capabilities such as packet filtering. But am I
    correct in saying the basic firewall in SBS works whether you run a single
    vs. dual NIC configuation? So I guess my question comes down to, taking the
    router out of the equation, what are the advantages/disadvantages of a single
    vs. dual nic?

     
    Richard K, Nov 12, 2007
    #4
  5. and isn't that reason Windows Server 2008 (ie. not an 'SBS thing') reduced
    support for or possibly appreciation of limitations of RRAS NAT? (ie. having
    very little indeed to do with 'firewalls')

    Sorry for the delay in posting, I had to do a (not so) quick read of
    generally available comment.
     
    SuperGumby [SBS MVP], Nov 12, 2007
    #5
  6. Today?

    Either implement a single NIC system and a true firewall OR a dual NIC
    system and a true firewall (ISA). Running dual NIC and a proper firewall can
    complicate things unnecessarily. You _cannot_ take the routing device out of
    the equation and whether that device provides firewall functionality or not
    is a major part of the deal.

    Running a NAT router in front of 2 NIC SBS Standard offers _very litle_ as a
    'security' thing (onion, noise reduction) but does have the advantage of
    acting as a stable IP interface under your control. This benefit also
    applies to systems including ISA, I've moved both Standard and Premium
    systems physically (change of building or city) and logically (change ISP or
    connection type) without so much as running the CEICW.

    Tomorrow (when it comes)?

    We'll see, but I'm looking at 1 NIC and a (much less expensive than
    yesteryear) appliance (which may in fact be ISA :).
     
    SuperGumby [SBS MVP], Nov 12, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.