Neither of these will work if you host the company's Internet-
facing servers (web, email) on the network, because DNS entries
(cached all over the place) will still be pointing at your primary
addresses.
There are special appliances that will compensate for a failed
ISP link, including serving up DNS with a short TTL and reflecting
the change. The more traditional approach is to have dedicated
routable addressing -- at least for those servers! -- and BGP to
multiple ISP connections.
David Gillett
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Dan Denton
Sent: Tuesday, October 23, 2007 11:19 AM
To: security-basics@securityfocus.com
Subject: Failover internet connections, and implementation...
I've a question about failover internet connections. I'm
interesting in knowing what kind of implementations that
other SMB's use for redundancy, and to switch to in the case
of a DOS attack.
Do any of you have redundant highspeed internet connections
for your offices (versus those for datacenters)? If so, what
kind of setup do you have?
Here's the setups I'm considering...
1. Have a second cable modem/dsl modem active, but not hooked
into the network. In the event of a failure, move the
connection for perimeter devices over to the standby
connection and reconfigure the perimeter device to use a different IP.
2. Have a second set of perimeter devices (firewalls)
programmed to use the IP's on the second connection, as a hot standby.
My problem with the first option is the time it would take to
reconfigure firewalls and IDS' to use the other ISP's
connection. The problem I have with the second is the expense
of firewalls and IDS' just sitting there idle.
Any input is greatly appreciated!
Dan
