 |
 |
OS X Server - Realistic Expectations?
|
|
|
|
|
Mac Elite
Join Date: May 2001
Location: Vancouver
Status:
Offline
|
|
I'm doing some spot consulting for a friend of a friend and wanted to know if anyone can answer the following.
The friend's company is putting in a broadband connection and wants to set up a Web/FTP/mail server as well as a firewall to protect the network of about 30 users.
In addition to the above duties, I would probably put the OS X Server box on DHCP duty as well as basic file sharing.
While it's obviously not the best idea to put your firewall on the same box as your file server, would this be too much to handle?
Also, if the server were to assume NAT duties, an additional network card would be in order I suppose.
Anyone with real-world experience please comment?
Cheers,
Jeff
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: May 1999
Location: San Jose, CA
Status:
Offline
|
|
More info is required to properly answer your question, but I'll give you a few pointers.
First, you don't specify the Mac hardware level - there's a lot of difference between a first generation B&W and a Dual-gig QuickSilver.
Second, what do you mean by broadband? To some people, a 144K DSL line is broadband, whereas to others a 45mbps T3 line is just passe.
At the lower end (up to, say, a T1 line with moderate traffic), any G4 should be fine. Anything more than that and you'll probably be running a dedicated router, anyway.
As for the network configuration, any time you're running NAT or firewall applications you HAVE to run dual NICs (well, technically it's not a requirement, just totally braindead of you not to). You configure one of the NICs as the external network and the other as internal. All hosts in your network connect to the internal NIC.
Even Apple realized their mistake in shipping the original AirPort Base Station with a single NIC. IMHO they should recall all revision 1 base stations for an upgrade.
With dual NICs it's much easier to configure ipfw (a global deny all on the external interface after your specific allow rules).
Without dual NICs, you cannot prevent DHCP leakage over the network - your DHCP announcements would be broadcast upstream to anyone else connected to your ISP.
It's harder (impossible?) to secure your network with a single NIC since someone else might configure their machine with one of your DHCP addresses and you'd have no way of knowing if they're legit or not. With dual NICs you know which interface your private network traffic should be on.
So go ahead and get a second NIC for the machine and everything else should be OK.
|
|
Gods don't kill people - people with Gods kill people.
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
Camelot, what you say about a dual NIC makes sense, but how is that approach superior to using a product like this standalone Router/Firewall? For the cost, i'd be inclined to go with a separate box (for most of the same reasons you cite for the dual NIC approach). Not challenging your suggestion; just seeking info. 
[ 03-12-2002: Message edited by: Rainy Day ]
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: May 2001
Location: Vancouver
Status:
Offline
|
|
Camelot,
Sorry about the lack of specs.
He'd probably purchase any level of currently shipping or maybe one generation old G4 (so upwards of 700 mhz at least).
Broadband would probably either be 8mbit DSL or even 100 mbit optical depending on what works for him (yes, this is the current "broadband" we get in Tokyo.
Agreed on the note about the dual NICS. I'm managing a Watchguard Firebox in my office and silly me, forgot that it has 3 NICS to separate out all the traffic (private, DMZ, external).
Given those conditions, would OS X hold up under the load of handling firewalling duty and others at the same time? I imagine so but wanted to hear from someone actually doing it!
Cheers.
Originally posted by Camelot:
<STRONG>More info is required to properly answer your question, but I'll give you a few pointers.
First, you don't specify the Mac hardware level - there's a lot of difference between a first generation B&W and a Dual-gig QuickSilver.
Second, what do you mean by broadband? To some people, a 144K DSL line is broadband, whereas to others a 45mbps T3 line is just passe.
At the lower end (up to, say, a T1 line with moderate traffic), any G4 should be fine. Anything more than that and you'll probably be running a dedicated router, anyway.
As for the network configuration, any time you're running NAT or firewall applications you HAVE to run dual NICs (well, technically it's not a requirement, just totally braindead of you not to). You configure one of the NICs as the external network and the other as internal. All hosts in your network connect to the internal NIC.
Even Apple realized their mistake in shipping the original AirPort Base Station with a single NIC. IMHO they should recall all revision 1 base stations for an upgrade.
With dual NICs it's much easier to configure ipfw (a global deny all on the external interface after your specific allow rules).
Without dual NICs, you cannot prevent DHCP leakage over the network - your DHCP announcements would be broadcast upstream to anyone else connected to your ISP.
It's harder (impossible?) to secure your network with a single NIC since someone else might configure their machine with one of your DHCP addresses and you'd have no way of knowing if they're legit or not. With dual NICs you know which interface your private network traffic should be on.
So go ahead and get a second NIC for the machine and everything else should be OK.</STRONG>
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Feb 2001
Status:
Offline
|
|
Please don't take this the wrong way, but it doesn't sound as if you are sure if you are qualified to be performing this task for the client. Network security is a serious issue and isn't something that one should be implementing without considerable knowledge and experience, especially in a business environment.
Stepping down from the podium, and assuming the call of the dollar is too great for you to ignore ;-)... most security experts would blanch at the idea of using a system as both a firewall/router and as any kind of server for the internal protected network. The design challenge is how to put the maximum "distance" between the WAN and the systems on the LAN; deciding where to locate the system that will be in the "DMZ" will depend upon the level of security required by the client and the available budget.
Check out the lower-end boxes from Cisco if budget permits, otherwise look into the high-end from the "soho" makers such as Netgear. The Netgear FV318 router with the Stateful Packet Inspection looks like a nice "business-class" box designed to compete with the low-end "big name" routers ($970):
http://www.netgear.com/product_view....12&zrp=110
Using such a router box (and DHCP server) in conjunction with one G4 as a dedicated external web/ftp/email server and another G4 as the internal file/account server would be a reasonable "basic" approach. The plans only get more interesting and expensive from there ;-)
Cheers,
-Nathan
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: May 2001
Location: Vancouver
Status:
Offline
|
|
No offense taken at all.
Just some simple questions posed by a Windows 2000 sysadmin (myself) running the full gamut of servers and clients with a proper hardware firewall (Linux-based hardware standalone unit) hoping to possibly find the holy grail of an all-in-one server in OS X for those folks not wanting to spend their last dollar...
I do practice proper network security separating my internal clients/server and those public servers behind the DMZ and practice a "block many, allow few" mentality for managing the firewall.
Thanks for the tip on the Netgear products; I personaly use Watchguard but with a starting price of close to $2,000 for the bottom-end unit, it would be hard to make a sale on that one...
Cheers.
Originally posted by geekstud:
<STRONG>Please don't take this the wrong way, but it doesn't sound as if you are sure if you are qualified to be performing this task for the client. Network security is a serious issue and isn't something that one should be implementing without considerable knowledge and experience, especially in a business environment.
Stepping down from the podium, and assuming the call of the dollar is too great for you to ignore ;-)... most security experts would blanch at the idea of using a system as both a firewall/router and as any kind of server for the internal protected network. The design challenge is how to put the maximum "distance" between the WAN and the systems on the LAN; deciding where to locate the system that will be in the "DMZ" will depend upon the level of security required by the client and the available budget.
Check out the lower-end boxes from Cisco if budget permits, otherwise look into the high-end from the "soho" makers such as Netgear. The Netgear FV318 router with the Stateful Packet Inspection looks like a nice "business-class" box designed to compete with the low-end "big name" routers ($970):
http://www.netgear.com/product_view....12&zrp=110
Using such a router box (and DHCP server) in conjunction with one G4 as a dedicated external web/ftp/email server and another G4 as the internal file/account server would be a reasonable "basic" approach. The plans only get more interesting and expensive from there ;-)
Cheers,
-Nathan</STRONG>
|
|
|
| |
|
|
|
|
|
|
|
| |
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
