| ▲ | alias_neo 5 hours ago | |
> Why not? It seems like you weren't really asking, but I'll answer anyway. It's bad security practice, and opens up your network to attack and/or compromise, you're massively increasing the attack surface, and a compromise of one of those components leaves the attacker sat on your edge router, at which point your entire network is fair game. Generally speaking you shouldn't expose anything on your edge router / firewall, it's a safety barrier. You can sit things behind it in a "DMZ" and port-forward and isolate them etc so that there's no packets terminating on the actual edge device itself.m, that lowers the risk of a full network level compromise. Chances are you might be fine and never have a problem, but it's still recommended against. | ||
| ▲ | drnick1 3 hours ago | parent [-] | |
It was a genuine question, and while you reiterate the author's point about this being "bad security practice," neither you nor the author explain why this is the case. I don't believe physical separation really buys you much here. At most, if may reduce downtime if you do indeed get pwned, but I think that you can achieve the same objective through a combination of containers, VMs, and UNIX users. And running multiple, somewhat redundant machines also has obvious downsides such as increased power consumption, increased maintenance burden, additional space and cabling, etc. | ||