2.9.1 Introduction
Each company has its IT rules and more than often a proper IT staff to apply them. Thus what we are going to suggest to you is not a specific configuration because you have to adapt it to your own business needs. It's more a sort of Rule of Thumb about how we suggest to organise data transport separation.
...
| Info | ||||
|---|---|---|---|---|
It can be quite useful to consider
|
2.9.2 Rules of thumb
The services separation occurs by considering the following rules:
- Use two networks interfaces at least and set them up as:
- Internal Interface: private IP, not directly accessible from the extern of the company
- External Interface: public IP, directly accessible from anyone
- Services should always be split in two categories:
- management
- service provider
- Each category should be mapped on a different interface:
- management on the Internal Interface
- service provider on the External Interface
- One amend to rule number 3 is if your company wants to offer the secure voice system to the internal network as well (or to some part of it)
- Both SIP/TLS and HTTPS-Smartphone Web Services are necessary to run the service on mobile devices
- public access is needed for with Data packages are involved
- No point in having Nagios service on the public interface
- Disable SSH access as soon as you can or keep it as the last resort: you might want to place it on an hidden network or protect it by a firewall rule
2.9.3 Possible implementations
Our standard proposal is to split the VoIP service and the Administration service having the former to respond on the first interface, directly connected to the Internet via public IP address or just NATted from a public one. The latter would respond on the second NIC, an internal interface with a private IP address assigned on it.
...