Solved

How do I protect my servers in a Datacenter

Posted on 2011-02-14
10
307 Views
Last Modified: 2012-05-11
I have a few servers in a datacenter.  I've never needed more than 1 IP and everything has been behind a Cisco ASA5505 so far.  I have 64 IP addresses provided to me and I'd like to change the setup to take advantage of them.  I would like to bring a handfull of web servers and vpn servers online.  Each would need to be assigned a public routable ip address (from one f the 64 addresses)  My question is, how do I protect all the servers that have public IP addresses.  I would like to get away from the ASA5505 because it's limited to 10/100 interfaces and my uplink is 1GB (as well as all my nics).  I cannot spend any more than 1k. I've looked into using PFsense, but I don't quite grasp how this needs to be setup (or if it can support more than one IP in bridge mode, or if you can control bandwidth with this approach).  I would like to know some possible solutions and maybe some usage scenarios that are in use now, for similar setups.

Thanks for any insight you can provide.  It's very much appreciated.
0
Comment
Question by:maxvisionsmith
  • 3
  • 3
  • 2
  • +1
10 Comments
 

Author Comment

by:maxvisionsmith
Comment Utility
I've been looking at Vyatta but I'm not sure if that's the way to go or not.
0
 
LVL 13

Accepted Solution

by:
kdearing earned 250 total points
Comment Utility
First off, you CAN use your 'extra' IP addresses with your 5505.
Just need to create static NATs to the specific servers.

I doubt you can upgrade to a bigger ASA for $1000

If you want build something yourself, take a look at SmoothWall.

0
 

Author Comment

by:maxvisionsmith
Comment Utility
The ASA5505 will use all the IP's I throw at it, but only on the 100mbps interfaces as that's all thats available on that model.  I need GB.  Do hosing providors typically get cisco switches and set up each port on it's own vlan?
0
 
LVL 4

Assisted Solution

by:RobertParten
RobertParten earned 250 total points
Comment Utility
Take a look at Untangle as well for a firewall. I used this in a test environment once on a Dual Quad Core Xeon based machine with a DUal intel NIC card with 4GB of RAM and it ran smooth. Easy to setup and easy to maintain. However, some things are better left to be desired when it comes to how it works and the interface. It also includes a method of bandwidth control as well that works well.

Give Untangle a shot if you want a lot of features for little money.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:maxvisionsmith
Comment Utility
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
0
 
LVL 4

Expert Comment

by:RobertParten
Comment Utility
Ok, well....in the ASA you can ALWAYS just include MORE interfaces in the "outside" VLAN and plug them directly into those ports and assign them their public IP address and it will work. However, if you want to do that you need to enable

same-security-traffic permit intra-interface

You can do this with a 5502, but you need to put a switch on one of those ports of the ASA to Extend if you want to use ALL of the ports on the ASA or just leave it on ONE interface and attach a switch to that. ProxyARP will ensure that the ASA answers for the ARP request for that specific IP address when the ARP WHO HAS comes through.
0
 
LVL 13

Expert Comment

by:kdearing
Comment Utility
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
Every reputable network design or best practice documentation says this is a bad idea.
Publicly accessably servers should be in the DMZ and assigned non-routable IP addresses.
NAT is then used to manage and direct the traffic flow to/from the servers.
0
 
LVL 4

Expert Comment

by:RobertParten
Comment Utility
@kdearing - This isn't always the case my friend. For systems like Cpanel you CANNOT have a NAT to the server. In fact, most (if not all) the ISP's I have worked for and web hosts have their servers assigned public IP addresses. We used Linux so iptables is what you use to secure servers in combination wit SELinux.

Windows also has it's own firewall as well, so I am not going to go as far as saying "Best Security Practice" because we aren't fully away of his needs and requirements. NAT doesn't have a lot of overhead, but it still takes just a bit of processing power to work so in theory it is "slower" albeit you may not even notice it.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now