Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Svar: Failover internet connections, and implementation...

from [Ove DalgÃrd Christensen] Network Security [Permanent Link]
Subject: Svar: Failover internet connections, and implementation...
Date: Wed, 24 Oct 2007 10:01:34 +0200 
Hi Dan,

Here is what i would do in such a case - it requeres 2 good and service
minded ISP's.

Get by RIPE a PI IP range (provider independent) Also apply for a AS
number in BGP.

Find 2 service providers where you can setup a router at their premesis
and get 1 router for your own location. 
The 2 service provider routers must be configurable by you - or it can
be their equidment, doesnt really matter! The important thing is, that
you can make configuration changes on them in case of DDoS. 
What you want is a setup where - eventhough one service provider is
down, your BGP will guide the traffic though the other ISP. 
The reson for you to be able to controlle the router at ISP is that in
case of DDoS - you may want to filter certain traffic types - BEFORE
they enter your WAN link. Either that or the ISP is willing to do
changes in the router config whitin 15mins.

We have this setup running at a costumor - the failover time is about
2mins - then the internet goes in from another ISP. Works like a charm
;-)

Also configure the ISP routers to only allow 2% icmp traffic on your wan
links. 
Do QoS, prioritize your important trafic - comming from ISP to you -
could be: smtp, https,http.
Dont forget to prioritize your BGP routing ;-)

Happy configging!

Best Regards 
Ove DalgÃrd Christensen
Cisco Certified Network Professionel (CCNP)
Cisco Certified Security Professionel (CCSP)




"Dan Denton" <ddenton@remitpro.com> 23-10-07 20:18 >>>

I've a question about failover internet connections. I'm interesting in
knowing what kind of implementations that other SMB's use for
redundancy,
and to switch to in the case of a DOS attack. 

Do any of you have redundant highspeed internet connections for your
offices
(versus those for datacenters)? If so, what kind of setup do you have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not hooked into the
network. In the event of a failure, move the connection for perimeter
devices over to the standby connection and reconfigure the perimeter
device
to use a different IP.

2. Have a second set of perimeter devices (firewalls) programmed to use
the
IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take to
reconfigure
firewalls and IDS' to use the other ISP's connection. The problem I have
with the second is the expense of firewalls and IDS' just sitting there
idle. 

Any input is greatly appreciated!


Dan
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Svar: Failover internet connections, and implementation..., Ove DalgÃrd Christensen <=
Previous by Date:  ARP Poison - Sniffing Uplinked Switch, elluk
Next by Date:  Advice on security certifications (CPTS yes or no), spamjunkie
Previous by Thread:  ARP Poison - Sniffing Uplinked Switch, elluk
Next by Thread:  Advice on security certifications (CPTS yes or no), spamjunkie
Indexes:  [Date] [Thread] [Top] [All Lists]