RE: Failover internet connections, and implementation...

["David Gillett" <gillettdavid () fhda edu>]

  Neither of these will work if you host the company's Internet-
facing servers (web, email) on the network, because DNS entries
(cached all over the place) will still be pointing at your primary
addresses.

  There are special appliances that will compensate for a failed 
ISP link, including serving up DNS with a short TTL and reflecting 
the change.  The more traditional approach is to have dedicated 
routable addressing -- at least for those servers! -- and BGP to 
multiple ISP connections.

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Dan Denton
> Sent: Tuesday, October 23, 2007 11:19 AM
> To: security-basics () securityfocus com
> Subject: Failover internet connections, and implementation...
>
> I've a question about failover internet connections. I'm 
> interesting in knowing what kind of implementations that 
> other SMB's use for redundancy, and to switch to in the case 
> of a DOS attack. 
>
> Do any of you have redundant highspeed internet connections 
> for your offices (versus those for datacenters)? If so, what 
> kind of setup do you have?
>
> Here's the setups I'm considering...
>
> 1. Have a second cable modem/dsl modem active, but not hooked 
> into the network. In the event of a failure, move the 
> connection for perimeter devices over to the standby 
> connection and reconfigure the perimeter device to use a different IP.
>
> 2. Have a second set of perimeter devices (firewalls) 
> programmed to use the IP's on the second connection, as a hot standby.
>
> My problem with the first option is the time it would take to 
> reconfigure firewalls and IDS' to use the other ISP's 
> connection. The problem I have with the second is the expense 
> of firewalls and IDS' just sitting there idle. 
>
> Any input is greatly appreciated!
>
>
> Dan