Thread: IT Geeks, need some advice

So apparently I have hit Comcast bandwidth limit two months in a row and am now forced to upgrade to there business class service for my home. Turns out ski porn is the same as porn as far as they are concerned.

Currently I have an airport extreme that connects to the cable modem, then two time capsules that connect to it, with seperate Wifi networks, one thats dedicated to my home office another one that is for the various media players in the house and for my fiancee to use, and then a 3rd one that is set up just for guests to use.

Since I am forced to upgrade to there business class services I figured I'll take advantage of being able to get a static IP now.

So question is, I want my Mac Pro server to be easily assessable by me form anywhere so I can retrieve files, yet remain ultra secure. Is one dedicated static IP address enough or, do I need multiple static IP's?

I assume I can assign 1 static IP to the Airport Extreme that connects directly to the router, then assign public IP's via that to the time capsules and the other computers that access via the wifi networks, and still have a static IP for the mac pro server.

You don't need a static IP, and I'd suggest not using one mostly because it will change once-in-a-while (around here our static IP's change every 6-12 months but longer is almost worse because you forget about it); you may as well build handling this into what you do. Using dynamic DNS you can deal with it quite easily (http://www.macworld.com/article/1052...ynamicdns.html) -- there are numerous free providers out there. One IP is sufficient as you'll just configure port forwarding for your remote access (as in forward inbound http to your server, everything else strictly is outbound). Your server and clients can all share the same external IP, it would only be an issue (and generally easily resolved) if you have multiple servers accessible to the Internet via the same protocol.

If you have Comcast Business and they offer static IP, then you can do the port forwarding to a device (like the Apple Server) for access anywhere. There can be security risks since your server is now on a public address and not just a private address behind the router. Don't have much Comcast around here but looks like they charge extra for the static IP addresses even with the business class:

http://business.comcast.com/smb/serv...rnet/ipaddress

Saxon, a static address is just that- a public address (or block of public addresses) assigned to the account and it does not change regularly. Comcast reserves this address for the account. If Comcast is changing the IP address then they are offering dynamic IP addresses with that account.

So you can still do dynamic and save some money, or decide if you want to do one of the Dynamic IP Services like No-IP.com, dyndns.com, and many others. Most of these companies have a free service that can be used or paid monthly or annual fee with more advanced capabilities. Some routers support these services and are pretty easy to set up.

Multiple IPs will let you separate your networks - depending on how secure you need it to be it may be worth the nominal fee to add an IP or two. For instance, at the small financial institution where I work, we maintain 5 separate IPs. One of them is used for guest/customer wifi and guest workstation internet access, one for our primary (secure) core functions, one for our ATM networks, one for our inbound SFTP server, one for our one of our primary SaaS vendors.

Reasons vary between keeping different kinds of access entirely separate - i.e. if somebody compromises our guest network they don't really have anything other than other guests, not good, but simple enough to wipe it out and restore and we don't have to worry about conducting forensics to make sure no sensitive data was compromised. Our ATM network requires all kinds of tedious certifications and other rigamarole to add roles to that connection. Our SFTP role is our only inbound connection, so again, it substantially limits our exposure.

So in your case, separating your guest network, yours and your wife's workstations, and your server might make sense - as long as you're not looking to share data between the 3 and that your security requirements really justifies that level of segregation. Edit: Keep in mind - the security of your network is only as good as the least secure device on it. So if you spend all day surfing porn on your workstation and get all loaded up with viruses or the Allstate trouble guy sits outside and hacks your guest wifi - a targeted attack will make the rest of your network (including your server) fall relatively easily. Options to mitigate this include beefing up security on less-secure devices or just separating them.

Also, static IP is a little more immune to DNS attacks... if you're truly concerned about security or are regulatorily required to be, it's probably worthwhile.

Mustonen brings up a few points - like what is your home based business do and is there possible security issues of having guests on the same network. Netgear and some other router companies have a few model routers that allow you to set up a separate guest network with a different SSID broadcast and it only shares the wan connection, no LAN sharing is done that way (with static or dynamic address either way). Does your home business deal with financial information (credit card, anything that would be possible identity thief risk, medical info (Hipaa in the USA), etc.

Questions like what is on the Server and what and how do you plan on sharing the data (FTP access, music or photos, web site, documents and business related files etc.) publicly definitely need to be discussed before there are recommendations made.