Solved

How do I protect my servers in a Datacenter

Posted on 2011-02-14
10
308 Views
Last Modified: 2012-05-11
I have a few servers in a datacenter.  I've never needed more than 1 IP and everything has been behind a Cisco ASA5505 so far.  I have 64 IP addresses provided to me and I'd like to change the setup to take advantage of them.  I would like to bring a handfull of web servers and vpn servers online.  Each would need to be assigned a public routable ip address (from one f the 64 addresses)  My question is, how do I protect all the servers that have public IP addresses.  I would like to get away from the ASA5505 because it's limited to 10/100 interfaces and my uplink is 1GB (as well as all my nics).  I cannot spend any more than 1k. I've looked into using PFsense, but I don't quite grasp how this needs to be setup (or if it can support more than one IP in bridge mode, or if you can control bandwidth with this approach).  I would like to know some possible solutions and maybe some usage scenarios that are in use now, for similar setups.

Thanks for any insight you can provide.  It's very much appreciated.
0
Comment
Question by:maxvisionsmith
  • 3
  • 3
  • 2
  • +1
10 Comments
 

Author Comment

by:maxvisionsmith
ID: 34890261
I've been looking at Vyatta but I'm not sure if that's the way to go or not.
0
 
LVL 13

Accepted Solution

by:
kdearing earned 250 total points
ID: 34890858
First off, you CAN use your 'extra' IP addresses with your 5505.
Just need to create static NATs to the specific servers.

I doubt you can upgrade to a bigger ASA for $1000

If you want build something yourself, take a look at SmoothWall.

0
 

Author Comment

by:maxvisionsmith
ID: 34890871
The ASA5505 will use all the IP's I throw at it, but only on the 100mbps interfaces as that's all thats available on that model.  I need GB.  Do hosing providors typically get cisco switches and set up each port on it's own vlan?
0
 
LVL 4

Assisted Solution

by:RobertParten
RobertParten earned 250 total points
ID: 34890898
Take a look at Untangle as well for a firewall. I used this in a test environment once on a Dual Quad Core Xeon based machine with a DUal intel NIC card with 4GB of RAM and it ran smooth. Easy to setup and easy to maintain. However, some things are better left to be desired when it comes to how it works and the interface. It also includes a method of bandwidth control as well that works well.

Give Untangle a shot if you want a lot of features for little money.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:maxvisionsmith
ID: 34890910
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
0
 
LVL 4

Expert Comment

by:RobertParten
ID: 34891151
Ok, well....in the ASA you can ALWAYS just include MORE interfaces in the "outside" VLAN and plug them directly into those ports and assign them their public IP address and it will work. However, if you want to do that you need to enable

same-security-traffic permit intra-interface

You can do this with a 5502, but you need to put a switch on one of those ports of the ASA to Extend if you want to use ALL of the ports on the ASA or just leave it on ONE interface and attach a switch to that. ProxyARP will ensure that the ASA answers for the ARP request for that specific IP address when the ARP WHO HAS comes through.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 34891755
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
Every reputable network design or best practice documentation says this is a bad idea.
Publicly accessably servers should be in the DMZ and assigned non-routable IP addresses.
NAT is then used to manage and direct the traffic flow to/from the servers.
0
 
LVL 4

Expert Comment

by:RobertParten
ID: 34891790
@kdearing - This isn't always the case my friend. For systems like Cpanel you CANNOT have a NAT to the server. In fact, most (if not all) the ISP's I have worked for and web hosts have their servers assigned public IP addresses. We used Linux so iptables is what you use to secure servers in combination wit SELinux.

Windows also has it's own firewall as well, so I am not going to go as far as saying "Best Security Practice" because we aren't fully away of his needs and requirements. NAT doesn't have a lot of overhead, but it still takes just a bit of processing power to work so in theory it is "slower" albeit you may not even notice it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35120743
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now