R: Protecting the server farm!

["Vega - Brunello Ivan" <I.Brunello () vegaspa it>]

I would do the following:
- put servers on one or more different segments
- keep servers at full speed, close the the core
- make traffic shaping/QoS a must; this enable better perfomance, prevent most DDoS, and usually don't need further HW. 
- put some kind of filter between the core/distribution and access level: firewall/UTM, or NAC solution.

Talking about Cisco (not checked the others), I found that standalone firewall, compared to the blade which fit into 
switch:
- cost a fraction of the blade
- can be virtualized (i.e. you can create 2 or more "virtual firewall", eache with its set of interface and rules - the 
balde is "virtualized" by default)
- has more features
- runs as much as 1Gbps(compared to the claimed 5GBPs)

As far as I saw, performance is a big issue.
1 Gbps filtering speed IMHO is quite enough for endpoints uplink.



Ivan Brunello
System & Network Management
 
 

> -----Messaggio originale-----
> Da: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] Per conto di WALI
> Inviato: lunedì 17 settembre 2007 3.02
> A: security-basics () securityfocus com
> Oggetto: Protecting the server farm!
>
> I have been wondering about the technology means that I can 
> deploy into my infrastructure which is yet at only the 
> designing stage.
> In a newly designed campus infrastructure, I'll have a 
> datacenter with two core switches to which will my IDFs be 
> connected with a 10 gig uplink.
>
>  From my core, I plan to directly connect my 50 odd servers.
> Various vendors are telling various things.
>
> Cisco gives a solution which has a switch containing Firewall 
> and IDS built into it that would sit between my servers and 
> core switches.
> Foundry gives a solution where they propose a united threat management
> (UTM) box sitting between my servers and core switch with all 
> internal traffic being diverted through it.
> Nortel says no need, buy a NAC solution later and your whole 
> network will be well protected.
>
> What do you guys think? Each solution has an added costs and 
> tends to bring about a bottleneck reducing throughput off my 
> server farm to only a gigabit as most of these devices cannot 
> give me more than a Gbit interface.
>
> How do you guys protect your server farm from internal LAN threats?
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition. 
> Version: 7.5.487 / Virus Database: 269.13.21/1010 - Release 
> Date: 9/15/2007 7:54 PM