Chris Wiegman

Archive for August, 2009

So for the longest time our webserver was a Windows IIS machine running ASP CLASSIC apps on an MSSQL database and administered via RDC, FTP, and a little WebDav. As our campus has a perimeter firewall we decided to take advantage of this to protect administrative services by using to NICs. The first hosted only the HTTP and HTTPS that was available to the public and was the only one with any special rules on the perimeter firewall. The second hosted our CMS, FTP, RDC, WebDav, etc and was only accessible from within the campus CAN. Due to the integration of a lot of these services in Windows this worked fairly well allowing a good mix of accessibility and security.

Fast forward a few years later and things have changes. First we went to a PHP/MySQL combination on our windows server and were using a number of, shall we say, rudimentary techniques to force issues such as SEF friendly URLs, etc. Then last spring we decided we didn’t want IIS at all anymore and switched to a LAMP stack on Ubuntu server and in the process eliminated our use of WebDav, FTP, and RDC relying solely on SSH for all non Apache tasks.

As we move to a new server now I find myself asking the question as to whether the dual NIC setup is worth it given the independant structure of the various services and the fact that we don’t allow any non-public data on the machine. What do you guys think? Should I continue to segregate the CMS and SSH services by IP therefore restricting their access to the campus CAN through a hardware firewall, or should I just use a single IP without using up scarce IPv4 addresses/etc.

Please let me know what you guys think in the comments?