Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Failover internet connections, and implementation...

from [Dan Denton] Network Security [Permanent Link]
Subject: RE: Failover internet connections, and implementation...
Date: Wed, 24 Oct 2007 09:10:53 -0500 
Thanks to all who have replied. I've gotten a lot of great suggestions. The
network in question has a pix 506e at its perimeter, and is an endpoint to a
vpn with another pix, so I think I'll have to go the ASA route. 

Off to do some research. Thanks again!

-----Original Message-----
From: c0unter14 [mailto:c0unter14@gmail.com] 
Sent: Wednesday, October 24, 2007 9:06 AM
To: jam@zoidtechnologies.com
Cc: David Gillett; Dan Denton; security-basics@securityfocus.com
Subject: Re: Failover internet connections, and implementation...

As evident from earlier replies, the inbound traffic provisioning will
need some work done to be useful in case of a failover. If you are
willing to spend, there are third party solutions that will do this
for you as a lot of people have sent you the links. If not, you can
also do some tricks with your existing firewalls to get it to work.
for e.g. Checkpoint has an inbuilt option for ISP redundancy. In case
of Juniper, you can use a combination of 2 (or more) default routes
with different weights and "track-ip" options to make a failover ISP
redundant system, however in both cases provisions will be needed for
inbound traffic due to routing issues. Some of the third party
solutions mentioned above work very well, and should be preferred if
you have the money (which usually nobody has). However, if you want to
get it done with your existing infrastructure, it is entirely possible
but will again depend on what devices you have.

My 0.02$

On 10/23/07, jam@zoidtechnologies.com <jam@zoidtechnologies.com> wrote:

On Tue, Oct 23, 2007 at 02:05:44PM -0700, David Gillett wrote:

  Neither of these will work if you host the company's Internet-
facing servers (web, email) on the network, because DNS entries
(cached all over the place) will still be pointing at your primary
addresses.



you can change the zone file so that it has a much shorter timeout-- that
way if there is an outage and you need to change the zone you can do it

with

minimal delay... change it from 3 days down to 30 minutes, for example,

and

your changes should propagate much quicker.



David Gillett




regards,
J
--
http://zoidtechnologies.com/ -- software that sucks less
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Advice on security certifications (CPTS yes or no), spamjunkie
Next by Date:  Re: Failover internet connections, and implementation..., c0unter14
Previous by Thread:  Re: Failover internet connections, and implementation..., c0unter14
Next by Thread:  Re: Failover internet connections, and implementation..., Anthony
Indexes:  [Date] [Thread] [Top] [All Lists]