Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 320
  • Last Modified:

How do I protect my servers in a Datacenter

I have a few servers in a datacenter.  I've never needed more than 1 IP and everything has been behind a Cisco ASA5505 so far.  I have 64 IP addresses provided to me and I'd like to change the setup to take advantage of them.  I would like to bring a handfull of web servers and vpn servers online.  Each would need to be assigned a public routable ip address (from one f the 64 addresses)  My question is, how do I protect all the servers that have public IP addresses.  I would like to get away from the ASA5505 because it's limited to 10/100 interfaces and my uplink is 1GB (as well as all my nics).  I cannot spend any more than 1k. I've looked into using PFsense, but I don't quite grasp how this needs to be setup (or if it can support more than one IP in bridge mode, or if you can control bandwidth with this approach).  I would like to know some possible solutions and maybe some usage scenarios that are in use now, for similar setups.

Thanks for any insight you can provide.  It's very much appreciated.
0
maxvisionsmith
Asked:
maxvisionsmith
  • 3
  • 3
  • 2
  • +1
2 Solutions
 
maxvisionsmithAuthor Commented:
I've been looking at Vyatta but I'm not sure if that's the way to go or not.
0
 
kdearingCommented:
First off, you CAN use your 'extra' IP addresses with your 5505.
Just need to create static NATs to the specific servers.

I doubt you can upgrade to a bigger ASA for $1000

If you want build something yourself, take a look at SmoothWall.

0
 
maxvisionsmithAuthor Commented:
The ASA5505 will use all the IP's I throw at it, but only on the 100mbps interfaces as that's all thats available on that model.  I need GB.  Do hosing providors typically get cisco switches and set up each port on it's own vlan?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
RobertPartenCommented:
Take a look at Untangle as well for a firewall. I used this in a test environment once on a Dual Quad Core Xeon based machine with a DUal intel NIC card with 4GB of RAM and it ran smooth. Easy to setup and easy to maintain. However, some things are better left to be desired when it comes to how it works and the interface. It also includes a method of bandwidth control as well that works well.

Give Untangle a shot if you want a lot of features for little money.
0
 
maxvisionsmithAuthor Commented:
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
0
 
RobertPartenCommented:
Ok, well....in the ASA you can ALWAYS just include MORE interfaces in the "outside" VLAN and plug them directly into those ports and assign them their public IP address and it will work. However, if you want to do that you need to enable

same-security-traffic permit intra-interface

You can do this with a 5502, but you need to put a switch on one of those ports of the ASA to Extend if you want to use ALL of the ports on the ASA or just leave it on ONE interface and attach a switch to that. ProxyARP will ensure that the ASA answers for the ARP request for that specific IP address when the ARP WHO HAS comes through.
0
 
kdearingCommented:
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
Every reputable network design or best practice documentation says this is a bad idea.
Publicly accessably servers should be in the DMZ and assigned non-routable IP addresses.
NAT is then used to manage and direct the traffic flow to/from the servers.
0
 
RobertPartenCommented:
@kdearing - This isn't always the case my friend. For systems like Cpanel you CANNOT have a NAT to the server. In fact, most (if not all) the ISP's I have worked for and web hosts have their servers assigned public IP addresses. We used Linux so iptables is what you use to secure servers in combination wit SELinux.

Windows also has it's own firewall as well, so I am not going to go as far as saying "Best Security Practice" because we aren't fully away of his needs and requirements. NAT doesn't have a lot of overhead, but it still takes just a bit of processing power to work so in theory it is "slower" albeit you may not even notice it.
0
 
digitapCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now