For the best possible security, servers should be on a seperate
network from any machines that connect to them and the traffic to and
from the servers should be restricted by a firewall with active
intrusion detection monitoring.
That type of firewall is complex to manage and likely to be quite
expensive (in general, throughput is a major factor in the cost of a
firewall). The benefits of such a setup are unlikely to surpass the
limitations and expenses encurred. The opposite end of the spectrum is
to plop your servers onto the same network as all of your machins and do
everything on that one network.
A good in-between setup is to place your servers on two separate
networks and move all services that you can from the network shared with
the workstations to the server only network (effectively setting up an out-of-band network).
Each of my servers has at least two network interfaces (mostly dual
port Intel
Pro 1000/MT Server Adapters). One of those interfaces is connected
at 100 megabit to the general network shared with all of the workstations.
The other uses a private ip
addressThis setup has provided performance improvements and increased
security. The performance is only real noticed when performing backups,
although it has given me the bandwidth needed to experiment with the idea
of moving my VMWare images to a NAS like device.
For the security improvements, I needed to move services from the
public network to the private one. I was able to relatively easily move
my snmp queries, backup process, and ssh access to be accessible to only
the private network. Now if only I could work out how to only enable
Windows Remote Desktop on just one interface.
