Security Basics mailing list archives
RE: Securing the Server Farm
From: "Bowers, Jeramy J" <jebowers () iupui edu>
Date: Fri, 27 Jul 2007 10:52:10 -0400
Wali, What business are you in? Designing infrastructure for a web services provider can be different than designing for a corporate server farm. Are your IDFs at the edge are upstream to the same provider, or two different providers? Hopefully, they connect to separate internets. If you have the capacity on the switches to allow for growth (capacity planning, include electrical and cooling requirements), you could connect one NIC of each server to each core switch. The 50 you quote might be good for now, but you may grow that system to a couple hundred with blade servers and SAN technology. The question is, can your farm handle the environmental needs if you do? For protection, I'd recommend at minimum a stateful in-line firewall between each core switch and the IDF. Be sure it can handle the capacity of the uplink without too much of a performance hit. At least one IPS. The first one passively connected to both core switches (hint, designate a port on each switch for promiscuous mode, and connect the IPS there). You should be able to connect one IPS to both switches and monitor them together. If you can afford a second one (or two), place them in-line between the firewall and the IDF. These will be more expensive since they (like the firewall) have to connect in-line without too much of a performance hit. In the best scenario, you'll want to know everything attempting to come in, and what is making it past the firewall. In overall security, consider this one layer of the multi-layer approach. Design for securing the hosts, and physical security, and DRP/BCP as well. Jay Bowers Security Analyst -----Original Message----- From: WALI [mailto:hkhasgiwale () gmail com] Sent: Wednesday, July 25, 2007 3:33 PM To: security-basics () securityfocus com Subject: Securing the Server Farm We are in the middle of designing a Network Infratstruture and was wondering what's the current design improvements I can undertake in designing the Server farm. Given that there would a Core switch(two for redundancy) and IDFs for connectiing at the edges. How should I place my servers (about 50 of 'em). Should I place them directly on the core and build some L3 access lists or put another set of L3-L7 switch after the core and connect all my servers to it? Can I place an IPS/Firewall in the middle or would that be an overkill? Pls advise!!
Current thread:
- Terminating Unauthorized Connections Mister Dookie (Jul 23)
- RE: Terminating Unauthorized Connections Murda Mcloud (Jul 24)
- Securing the Server Farm WALI (Jul 24)
- RE: Securing the Server Farm Bowers, Jeramy J (Jul 27)
- Securing the Server Farm WALI (Jul 24)
- RE: Terminating Unauthorized Connections Murda Mcloud (Jul 24)