Can u Check my Network Diagram

[DeadPenguin]

I will have the last of my major pieces delivered tomorrow. I just wanted to make sure I had it right.
This is what I have so far. I will probably be adding 1-2 more media directors. Plus adding a SIpura 3000 for VOIP to analog phones.
I am unsure if my wireless connections will get an IP address in this config. (I will turn the DCHP off on the FIOS wireless modem).
 

http://www.gliffy.com/publish/1277993/




Regards,
Blair

[dopey]

Looks good to me... and thanks for posting. I think it will help others a lot.

[DeadPenguin]

Thank you. That is a relief. I can't wait to get it started.

Best Regards,
Blair

[ewbragg]

I'm not familiar with the FIOS wireless router, but if it's similar to the Linksys or Netgear with 1 WAN port and 4 LAN ports, plug one of the LAN ports into your gig switch.  If you go into the WAN port, it may not work. At least that what I had to do with my Linksys.

[table9]

Peng,
I would use the router as my main connection to the internet.  This should minimize your risk on the internet.  You are going to use the device anyhow and might as well use it for the intended purpose.  There should be an uplink port to connect your switch to.  If a standard cable does not work there should be a small midi switch you can press to make it work.  Worst case scenario is you may need a cross over cable.  This should keep you more secure than putting your MCE device on the net.

[dopey]

Peng,
I would use the router as my main connection to the internet.  This should minimize your risk on the internet.  You are going to use the device anyhow and might as well use it for the intended purpose.  There should be an uplink port to connect your switch to.  If a standard cable does not work there should be a small midi switch you can press to make it work.  Worst case scenario is you may need a cross over cable.  This should keep you more secure than putting your MCE device on the net.

As to it being more secure... maybe, but most likely not, especially if you use an unmodified stock Linksys or something like that. You will loose functionality if you do that as well. Everything connected to that router would not be connected to LinuxMCE, unless you disable DHCP on the core and only use one network card... which will cause you to loose all plug and play and network booting functionality. This is almost certainly not what you want.

[table9]

You do not want your Linuxmce directly connected to the internet period.  Is a non hardened version of linux without the proper modules installed less secure than a decent router that is updated?  Yes, it is.  Placing Linuxmce on a single nic does no harm.  How the design should look Internet-> modem-> router-> switch-> clients (including Linuxmce)  You can turn DHCP off at the router, but use it as a router.  Of course you do not want to lose PnP, but security is very important.  Do not do a poor design because you may have to do slightly more work.
[/quote]

As to it being more secure... maybe, but most likely not, especially if you use an unmodified stock Linksys or something like that. You will loose functionality if you do that as well. Everything connected to that router would not be connected to LinuxMCE, unless you disable DHCP on the core and only use one network card... which will cause you to loose all plug and play and network booting functionality. This is almost certainly not what you want.
[/quote]

[DeadPenguin]

I am not really sure who to listen to here.
I am very good with computers, but I have never taken the time to learn about networking. I just know I want something between my PC's and the big bad internet and the router has worked well.

Regards,
Blair

[teedge77]

an unhardened firewall is better than no firewall at all...which is what you would get with the wireless router on the modem....all of your wireless clients would be directly exposed to the internet...but....NAT is usually enough to stop most stuff....its things you dont realize youve done that will get you. opening stuff....visiting sites....these will let things take control and send out calls to sites on the internet allowing backdoors and such to your computer to use them as zombies. these calls would mostlikely be stopped by most firewalls.

if you learn a little about linux firewalls...and you may have some work to do to get that right....then you can easily strengthen the firewall and the linuxmce box and make everything very secure. its just one other opinion though...dont mean to cause more confusion.

in the end...all im saying is

the diagram you have would work fine and would be safe if you take some time to configure things correctly.

[table9]

Teedge,
I have yet to see a wireless router without a firewall.  Linksys, Dlink, Netgear all have firewall capabilities built in.  Can you make it work...  yes.  Are there going to be sigificant number of more vunerabilities on your Linuxmce device than a router?   Yes.  Almost all routers run a hardened version of Linux.  It is running fewer services and thus has fewer vunerabilites.  There will potentially be issues when a expliot comes out of getting all of the dependencies working.  Are you really telling an average user to install a linux firewall and configure it instead of just doing a design that avoids complication and is more secure unless he is a Linux expert?  If he was an expert he would not have posed the question in the first place.  A significant part of good design is minimizing complication.  Run Nessus against MCE and a linux based FW router.  Unless you are an expert I guarantee the Linux based FW router is more secure.

an unhardened firewall is better than no firewall at all...which is what you would get with the wireless router on the modem....all of your wireless clients would be directly exposed to the internet...but....NAT is usually enough to stop most stuff....its things you dont realize youve done that will get you. opening stuff....visiting sites....these will let things take control and send out calls to sites on the internet allowing backdoors and such to your computer to use them as zombies. these calls would mostlikely be stopped by most firewalls.

if you learn a little about linux firewalls...and you may have some work to do to get that right....then you can easily strengthen the firewall and the linuxmce box and make everything very secure. its just one other opinion though...dont mean to cause more confusion.

in the end...all im saying is

the diagram you have would work fine and would be safe if you take some time to configure things correctly.

[dopey]

Table9,
There are a significant number of vulnerabilities in those routers as well. Hell, I remember a big stink because someone figured out the default Linuxsys password and was able to login to other people's routers remotely. Of course this was fixed with a firmware update, but the point is still valid.

The firewall built-in to LinuxMCE is the exact same one you would find in many of those routers (simple NAT, often using IP Tables). The default configuration is a sound one. You are right, however, that all these services do present a security risk and if you want to have that extra layer of protection, go ahead, but if you think that makes thing easier, you're dead wrong.

Yes, I would like to see a hardened kernel in the core with stack overflow protection. I also wouldn't mind having the router portion of this in a vmware environment. I agree this isn't the most secure method at current, but it is in no way in-secure.

[teedge77]

yeah....god forbid anyone learns anything....whod want that. i believe i said if thats what he wanted to do then there would be work involved (learning how). firewall capabilities and a firewall are not the same. you get some port forwarding and maybe thats all he wants. of course....you also dont know what model router he has. i jsut gave a suggestion. if hes willing to learn then the way he had it displayed is fine. i have a linksys WRK54G and theres no port blocking on there. i cant block any internal ports from accessing the outside. if i get some sortof SMTP spam crap sending out emails frmo me theyre gonna go right on through. at least through the router...theylll stop at the firewall..which...yes...astaro is linux based. anyway its up to him if hes willing to learn how or has time.

[dopey]

If that was directed towards me, I think you misunderstood what I was trying to say. I actually agree with you. I even gave advice in a few threads on how to put your router in front of the core. I just think the argument that the router should be used to make things easier is seriously flawed.

[teedge77]

sorry dopey, that was directed at table9....i took too long to post and you posted yours as i was writing...sorry...

[dopey]

No worries, I figured that might be the case.