We have a few rack cabinets in a datacenter with a fast internet connection and a very slow one. The slow connection has been installed by someone that does not work with us anymore, and he left very little documentation about the setup. As far as we can tell, the setup does not work like planned.
Since we do not know enough about networking, I turn to Experts Exchange hoping someone could help me out with this one.
The initial purpose of the setup is a simple concept. When an atacker or server problem consumes all bandwidth of the fast connection, the line will close because of this traffic. Therefore we cannot control the servers properly to find the attacker or cause of the problem and fix it. We had Colt install a second internet connection (a very slow one) that wil only be used in cases like this. We would be able to control our server through this backdoor-connection and solve the problem.
We now know that the setup is slightly different. We would be able to close a port on the main switch (fast connection) and therefore prevent the attack. But this means that we cannot solve the problem, and all websites or applications on that server would be dead. This is not really a solution in our oppinion. We now simply call Colt to handle the problem, and they just disconnect the port on the switch for 30 minutes. This happens very rare, but is a frustrating problem.
I included a scheme which will show what we want to setup.
You will see that we want to use a server (which acts as a domain controller and monitoring server) to access the other servers with. We would be able to use VNC to connect to that monitor server, and go from there (ssh, rdp or vnc) over internal network to other servers. We also want to send backups over the internal network, instead of through the main switch. Some servers have bandwidth monitoring, and now we have to extract the backups from the total bandwidth each month, because it runs over the main network connection instead of the local network of the backdoor switch.
Monitor server runs windows server 2003 and has 3 network connections
Switches are both cisco catalyst 24-port switches, but I don't know the exact model.
I would like to know if
1) this is achievable with what we have now
2) how the network configuration should be done on the monitor server (ip, subnet, gateway, dns for each network interface => 3)
3) how the network configuration should be done on the other servers (ip, subnet, gateway, dns for each network interface => 2)
4) how the backdoor switch need to be configured. We have never configured a cisco switch ourself, so keep that in mind. At this point the switch is manually configured for the existing setup. I should receive a document with the switch configuration this week, but I am hoping we can just reset the switch and use it right away.
The best pratice to stop any attack is colocate a firewall for your connection at provider end.
if this is not feasible then place firewall between your internet and your servers and that firewall should have a seprate back door connection incase of main link is choke. When there is attack u just have to login on firewall and stop traffic for particular port or protocol instead of shuting switch port.
We have two reasons not to use a single firewall setup:
- Expense: We need it to be replaced quickly in case of failure. Therefore we would need a firewall managed by Colt, which is not a cheap solution for situations that happen very rare. If we install it ourselves, we would have to put an extra firewall in a cabinet in case it breaks (double costs), so it can be switched quickly. But we also would have to drive several hours to get to the datacenter, while Colt can replace it (only their own managed hardware) very quickly.
- Manageability: In case of a firewall misconfiguration, it could lead to serious problems since it would serve several rack cabinets full of servers. It would also be hard to configure, for several server configurations, including dedicated and colocated systems. The customers of these contracts should be able to change their own firewall settings.
Therefore I do not see how a single firewall can be used unless all traffic is allowed and manually blocked in case of connection problems. I also need to be able to access that monitor server to see which ip is causing the problem, unless I could look this up in the firewall interface.
I do not have knowledge of hardware, and it would be great if you could point me to some decent firewall devices to use in datacenters with high availability requirements. I can then compare this to the offer Colt has already made to manage a firewall for us.
drop the idea of placing your own firewall at provider end.
placing firewall at your end between internet and your servers is feasible. In your scenario firewall placed will pass traffic from internet to your servers, you just have to block unwanted ports unless they require by any customer moreover block or limit icmp traffic.
There are hardware firewalls, but i always prefer to use software firewall specially on FreeBSD or Linux box.
The idea of having a single server in front of all our rack cabinets scares me. If there goes something wrong with this server, I have a serious problem.
I do prefer FreeBSD ipfw firewall myself, but not on a single machine serving several rack cabinets full of servers. The risk is too high. A normal server with moving parts (disks, coolers, ...) has much more risk of braking then a proper hardware firewall device.
Like I said, high availability is required for this solution. It might be possible to go with a small server, and put the OS on the a solid state disk instead of normal disks. But this feels more like a "do-it-yourself-at-home" solution. Is there a solution so we can setup two servers at once, in case one brakes?
Does anyone can tell me if the original setup (see attachment in first post) would be achievable?
We also would like to have our backups run over the secundary switch, because bandwidth monitoring requires manual calculations each month. We need to extract the backup-traffic from the total traffic because they run over the same network interface.
As I understand correctly, we would be able to mirror the firewall server to a second server. This will be an exact copy of the original.
This far I can follow, but then I am wondering how the network configuration and cabling of both servers should be done, because I only have one tcp connector with the internet connection. Now it is plugged in the switch, and all servers are connected to that switch.
How can we make this redundant, so little intervention is needed to switch (preferrably only by remote access) in case one server goes down.
I also did some search on "dynamic protocols" for freebsd, but came up with almost nothing. DHCP is a dynamic protocol, but I don't see how this could help building a redudant firewall.
Do you might know how to setup the original question? Assume we are building two FreeBSD firewall servers to place in front of the main internet connection. I then still need to be able to configure the backdoor connections, for running backups over different network interfaces then the internet connection. How would I have to configure the network cabling and settings for this?
I might be asking a lot of questions, but I did assign the maximum amount of points for this question, because I need sufficient information, especially about the configuration of the network interfaces and cabling.
>>As I understand correctly, we would be able to mirror the firewall server to a second server. This will be an exact copy of the original.>>
do you have manage switch ? if yes then put internet+primarly firewall external interface+secondary firewall external interface in one VLAN.
The internal interface of both firewalls and servers should be in another VLAN.
Your both firewalls should have link with management VLAN of switch, this will help to enable disable ports during failure of one server. The practise will be simple in case of primary firewall fail you just have to disable switch port pertain to primary firewall link and enable secondary firewall ports which have same ip's as primary have. (yes don't forget both firewalls have secondary internet link).
Whereas in case of attack you just have to login on primary firewall from second internet link and after analyzing nature of attack apply filter. (for traffic analyzing i prefer to use traffshow). This all is manual way, but if you can arrange BGP routing from your provider this all can be real time.
When i say dynamic protocols then its mean BGP, OSPF, EIGRP.
Did i object on asking questions ? experts are here to support if you assign 20 points then even they support you.
I now for a fact that the switch from Colt, which is attached to our servers and the main internet connection, cannot be managed ourselves. Only Colt has access to it, but they would certainly setup one-time configurations for us.
Although I don't really understand the complete setup, I feel like it is close to or exactly what we need. I have been reading a bit about VLAN on wiki, and I suppose this will be setup with "Port-based VLANs".
Is it correct that I would use the first three ports of the switch as VLAN1 and the other ports as VLAN2?
VLAN 1 - port 0: main internet connection
VLAN 1 - port 1: external interface firewall 1
VLAN 1 - port 2: external interface firewall 2
VLAN 2 - port 3: internal interface firewall 1
VLAN 2 - port 4: internal interface firewall 2
VLAN 2 - port 5-*: external interfaces servers
<< Your both firewalls should have link with management VLAN of switch, this will help to enable disable ports during failure of one server. >>
Does this mean that both firewall server have the same ip setup, but the port 2 for the second firewall is just closed all the time. In case firewall 1 brakes, I close port 1 and open up port 2?
<< yes don't forget both firewalls have secondary internet link >>
Does this mean I need an extra network interface on both firewalls with each their own small internet connection? At this point we have one backdoor-connection, so I should get another one for the second firewall?
I think I understand the procedure to follow in case of an attack. Through the backdoor-connection, I can control the firewall (the one that is active at that point), examine traffic (which is no problem), and add a rule to block the traffic (which is also no problem).
What I don't understand is the BGP stuff. It seems like this is very complicated. What is this supposed to do? If automatically blocking traffic, we could also use ipfw dynamic rules, or is this not correct?
About the backup procedure. I suppose I can just build an internal network with the second switch we have to send out backups over local network (192.168.*.*). Would this work if we reset the already configured backdoor swtich to default factory settings? I assume it would then just be a regular switch?
Thanks a lot for all information. I will be trying to set this up at our office and see how far we go. I know where to post more questions in case we have any.
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.