Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Securing the Server Farm

from [Bowers, Jeramy J] Network Security [Permanent Link]
Subject: RE: Securing the Server Farm
Date: Fri, 27 Jul 2007 10:52:10 -0400 
Wali, 
  What business are you in?  Designing infrastructure for a web services
provider can be different than designing for a corporate server farm.
Are your IDFs at the edge are upstream to the same provider, or two
different providers?  Hopefully, they connect to separate internets.

If you have the capacity on the switches to allow for growth (capacity
planning, include electrical and cooling requirements), you could
connect one NIC of each server to each core switch.  The 50 you quote
might be good for now, but you may grow that system to a couple hundred
with blade servers and SAN technology.  The question is, can your farm
handle the environmental needs if you do?  

For protection, I'd recommend at minimum a stateful in-line firewall
between each core switch and the IDF.  Be sure it can handle the
capacity of the uplink without too much of a performance hit.

At least one IPS.  The first one passively connected to both core
switches (hint, designate a port on each switch for promiscuous mode,
and connect the IPS there).  You should be able to connect one IPS to
both switches and monitor them together.

If you can afford a second one (or two), place them in-line between the
firewall and the IDF.  These will be more expensive since they (like the
firewall) have to connect in-line without too much of a performance hit.

In the best scenario, you'll want to know everything attempting to come
in, and what is making it past the firewall.

In overall security, consider this one layer of the multi-layer
approach.  Design for securing the hosts, and physical security, and
DRP/BCP as well.

Jay Bowers
Security Analyst

-----Original Message-----
From: WALI [mailto:hkhasgiwale@gmail.com] 
Sent: Wednesday, July 25, 2007 3:33 PM
To: security-basics@securityfocus.com
Subject: Securing the Server Farm

We are in the middle of designing a Network Infratstruture and was
wondering what's the current design improvements I can undertake in
designing the Server farm. Given that there would a Core switch(two for
redundancy) and IDFs for connectiing at the edges. How should I place my
servers (about 50 of 'em).

Should I place them directly on the core and build some L3 access lists
or put another set of L3-L7 switch after the core and connect all my
servers to it?

Can I place an IPS/Firewall in the middle or would that be an overkill?

Pls advise!!
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  AW: Pentesting RoR, Martin Muench
Next by Date:  Re: Bank Exploit, Jax Lion
Previous by Thread:  Securing the Server Farm, WALI
Next by Thread:  ID Fruad - Is there more hype than risk?, k7 . fantr
Indexes:  [Date] [Thread] [Top] [All Lists]