Security Basics mailing list archives

RE: Securing the Server Farm

From: "Bowers, Jeramy J" <jebowers () iupui edu>
Date: Fri, 27 Jul 2007 10:52:10 -0400

Wali, 
  What business are you in?  Designing infrastructure for a web services
provider can be different than designing for a corporate server farm.
Are your IDFs at the edge are upstream to the same provider, or two
different providers?  Hopefully, they connect to separate internets.

If you have the capacity on the switches to allow for growth (capacity
planning, include electrical and cooling requirements), you could
connect one NIC of each server to each core switch.  The 50 you quote
might be good for now, but you may grow that system to a couple hundred
with blade servers and SAN technology.  The question is, can your farm
handle the environmental needs if you do?  

For protection, I'd recommend at minimum a stateful in-line firewall
between each core switch and the IDF.  Be sure it can handle the
capacity of the uplink without too much of a performance hit.

At least one IPS.  The first one passively connected to both core
switches (hint, designate a port on each switch for promiscuous mode,
and connect the IPS there).  You should be able to connect one IPS to
both switches and monitor them together.

If you can afford a second one (or two), place them in-line between the
firewall and the IDF.  These will be more expensive since they (like the
firewall) have to connect in-line without too much of a performance hit.

In the best scenario, you'll want to know everything attempting to come
in, and what is making it past the firewall.

In overall security, consider this one layer of the multi-layer
approach.  Design for securing the hosts, and physical security, and
DRP/BCP as well.

Jay Bowers
Security Analyst

-----Original Message-----
From: WALI [mailto:hkhasgiwale () gmail com] 
Sent: Wednesday, July 25, 2007 3:33 PM
To: security-basics () securityfocus com
Subject: Securing the Server Farm

We are in the middle of designing a Network Infratstruture and was
wondering what's the current design improvements I can undertake in
designing the Server farm. Given that there would a Core switch(two for
redundancy) and IDFs for connectiing at the edges. How should I place my
servers (about 50 of 'em).

Should I place them directly on the core and build some L3 access lists
or put another set of L3-L7 switch after the core and connect all my
servers to it?

Can I place an IPS/Firewall in the middle or would that be an overkill?

Pls advise!!

Current thread:

Terminating Unauthorized Connections Mister Dookie (Jul 23)
- RE: Terminating Unauthorized Connections Murda Mcloud (Jul 24)
  - Securing the Server Farm WALI (Jul 24)
    - RE: Securing the Server Farm Bowers, Jeramy J (Jul 27)