Re: Securing web site with redundancy ?

["Steve" <securityfocus () delahunty com>]

Load balancing is a good solution.  Consider that web servers are cheap, so
consider three instead of two. Load balancing inserts complexity though.
But uptime isn't cheap or easy.

----- Original Message ----- 
From: "Beaty, Bryan" <Bryan.Beaty () vector com>
To: "Bénoni MARTIN" <Benoni.MARTIN () libertis ga>; "Corey Watts-Jones"
<cwattsjones () rogers com>; <security-basics () securityfocus com>;
<pen-test () securityfocus com>
Sent: Tuesday, August 24, 2004 11:21 AM
Subject: RE: Securing web site with redundancy ?


You cannot simply add a DNS entry. That creates a round robin system that
will send half the users to each server. If one server goes down the DNS
server will never know and you will send half your users to the dead server.

As far as I know the best two options are to:
1. Load balance two independent servers
2. Cluster two servers

If you use a load balancing device it will send users to each server. When
one goes down the load balancer will stop sending users to that server and
redirect them to the other.

If you cluster then both servers share a virtual IP address and when one
fails the other keeps working.

There are pros and cons for both methods. The most notable is that of both
servers are 60% utilized and one fails then the remaining server will be
overloaded and will likely fail as well. Cisco has a device called Load
Director that does the load balancing. You can also use Microsoft NTLB or
cluster services which work sometimes. There are dozens of other solutions
available.

Hope this helps.

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
Sent: Monday, August 23, 2004 5:22 AM
To: Corey Watts-Jones; security-basics () securityfocus com;
pen-test () securityfocus com
Subject: RE: Securing web site with redundancy ?

Hi!

If my memory does not let me down, a DNS server makes the translation
between IP adresses and hostnames. On any OS, you can specify several DNS
servers, so if the first fails down, it tries to reach the second one.

But what I have to handle is this: someone on the network requests
www.mywebsite.com. The external FW catchs the request, performs a NAT and
redirects it to the webserver. But the FW has to know to which web server it
has to redirect the request...

PS: My web servers are web servers only, not at all DNS servers ...

-----Message d'origine-----
De : Corey Watts-Jones [mailto:cwattsjones () rogers com]
Envoyé : samedi 21 août 2004 06:12
À : Bénoni MARTIN; security-basics () securityfocus com;
pen-test () securityfocus com
Objet : RE: Securing web site with redundancy ?

Hmmm... could you not simply add the second web server to the end of the
list for DNS entries? Failing contact with the first listed server it should
contact the next entry in line.

Correct me if I'm wrong, folks. :)

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
Sent: Friday, August 20, 2004 8:10 AM
To: security-basics () securityfocus com; pen-test () securityfocus com
Subject: Securing web site with redundancy ?

Hi all !

I was wondering if there was a way to set up 2 "redundant" web servers
(identical web sites), i.e. when one crashes, the other one takes the
connection over. The same thing which is already available for firewalls
(high disponibility), but with web servers.

We would have 2 Windozes in a DMZ with IIS as the web server, and a pix
firewall between the dmz and Internet. Is there any tool allowing this out
there ? I tried to google quite a while, but without any chance...

Some one has an idea ?

Cheers list !

----------------------------------------------------------------------------
--
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
----------------------------------------------------------------------------
---






----------------------------------------------------------------------------
--
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
----------------------------------------------------------------------------
---


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------