If you've read a couple of my other threads recently you'll know I'm in the process of moving all my websites and email domains off a very expensive VPS, and onto a new server (or possibly several) I'll host myself (thanks to fttc, static IP addresses, and a 10mbps upload speed).
Pretty obviously, I'll need to set up appropriate port forwarding, and so I've been pondering for a few days about the best way to do this. I've considered three options:
1) keep the servers on the existing network. This means they'll be easily accessible from the other PCs in the house, but I'd have to manage all the port forwarding through the one main router, and I'm a little concerned about a) the potential for screwing up my internet connection, and b) whether there are more security risks involved with having my public servers on my main network.
2) Swap in a new router, have the servers attached to that, and attach my existing router to the new one - essentially my home network sits one step removed from the incoming network, and I manage all the incoming port forwarding from the (new) primary router. With this one, I don't know how much of a hassle it would be to get all the connection details for my ISP - they were preloaded on the router they sent me and are clearly *not* the details I registered with (which I assume is to do with the fact that its a fttc connection). It'd also mean some downtime whilst I swap everything around.
3) Get a new router and connect its WAN port to the existing network; stick all the servers behind it, direct all incoming traffic to new router's WAN IP - essential the same as 2 but with the routers reversed (i.e. the servers now have 2 routers between them and the outside world). On the plus side, this would be dead easy to manage on the existing router without messing up the existing home network, and also easier to add new servers to (just stick them on the second router and mess with the port forwarding on that, rather than messing with the main network) but again I'm not sure if there's any implications for security.
My gut feeling is that 2) is the more secure way (i.e. have the home network double-removed from the incoming connection) but 3) is mightily tempting just for the ease of management. Anyone got any experience on managing this kind of network, or just general opinions on the best way to go about it?


LinkBack URL
About LinkBacks
).
Reply With Quote
- worse, through my ISP. Fortunately I detected it before they did - still needed a large grovel.
