Security Basics mailing list archives
R: Protecting the server farm!
From: "Vega - Brunello Ivan" <I.Brunello () vegaspa it>
Date: Wed, 19 Sep 2007 11:49:09 +0200
I would do the following: - put servers on one or more different segments - keep servers at full speed, close the the core - make traffic shaping/QoS a must; this enable better perfomance, prevent most DDoS, and usually don't need further HW. - put some kind of filter between the core/distribution and access level: firewall/UTM, or NAC solution. Talking about Cisco (not checked the others), I found that standalone firewall, compared to the blade which fit into switch: - cost a fraction of the blade - can be virtualized (i.e. you can create 2 or more "virtual firewall", eache with its set of interface and rules - the balde is "virtualized" by default) - has more features - runs as much as 1Gbps(compared to the claimed 5GBPs) As far as I saw, performance is a big issue. 1 Gbps filtering speed IMHO is quite enough for endpoints uplink. Ivan Brunello System & Network Management
-----Messaggio originale----- Da: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Per conto di WALI Inviato: lunedì 17 settembre 2007 3.02 A: security-basics () securityfocus com Oggetto: Protecting the server farm! I have been wondering about the technology means that I can deploy into my infrastructure which is yet at only the designing stage. In a newly designed campus infrastructure, I'll have a datacenter with two core switches to which will my IDFs be connected with a 10 gig uplink. From my core, I plan to directly connect my 50 odd servers. Various vendors are telling various things. Cisco gives a solution which has a switch containing Firewall and IDS built into it that would sit between my servers and core switches. Foundry gives a solution where they propose a united threat management (UTM) box sitting between my servers and core switch with all internal traffic being diverted through it. Nortel says no need, buy a NAC solution later and your whole network will be well protected. What do you guys think? Each solution has an added costs and tends to bring about a bottleneck reducing throughput off my server farm to only a gigabit as most of these devices cannot give me more than a Gbit interface. How do you guys protect your server farm from internal LAN threats? -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.487 / Virus Database: 269.13.21/1010 - Release Date: 9/15/2007 7:54 PM
Current thread:
- Protecting the server farm! WALI (Sep 18)
- R: Protecting the server farm! Vega - Brunello Ivan (Sep 19)
- Re: Protecting the server farm! Brian Laing (Sep 19)