Link to home
Start Free TrialLog in
Avatar of maxvisionsmith
maxvisionsmith

asked on

How do I protect my servers in a Datacenter

I have a few servers in a datacenter.  I've never needed more than 1 IP and everything has been behind a Cisco ASA5505 so far.  I have 64 IP addresses provided to me and I'd like to change the setup to take advantage of them.  I would like to bring a handfull of web servers and vpn servers online.  Each would need to be assigned a public routable ip address (from one f the 64 addresses)  My question is, how do I protect all the servers that have public IP addresses.  I would like to get away from the ASA5505 because it's limited to 10/100 interfaces and my uplink is 1GB (as well as all my nics).  I cannot spend any more than 1k. I've looked into using PFsense, but I don't quite grasp how this needs to be setup (or if it can support more than one IP in bridge mode, or if you can control bandwidth with this approach).  I would like to know some possible solutions and maybe some usage scenarios that are in use now, for similar setups.

Thanks for any insight you can provide.  It's very much appreciated.
Avatar of maxvisionsmith
maxvisionsmith

ASKER

I've been looking at Vyatta but I'm not sure if that's the way to go or not.
ASKER CERTIFIED SOLUTION
Avatar of kdearing
kdearing
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The ASA5505 will use all the IP's I throw at it, but only on the 100mbps interfaces as that's all thats available on that model.  I need GB.  Do hosing providors typically get cisco switches and set up each port on it's own vlan?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
Ok, well....in the ASA you can ALWAYS just include MORE interfaces in the "outside" VLAN and plug them directly into those ports and assign them their public IP address and it will work. However, if you want to do that you need to enable

same-security-traffic permit intra-interface

You can do this with a 5502, but you need to put a switch on one of those ports of the ASA to Extend if you want to use ALL of the ports on the ASA or just leave it on ONE interface and attach a switch to that. ProxyARP will ensure that the ASA answers for the ARP request for that specific IP address when the ARP WHO HAS comes through.
I have servers in a datacenter that I need to protect and they all have public routable IPS.  I'm not going to be running NAT here.
Every reputable network design or best practice documentation says this is a bad idea.
Publicly accessably servers should be in the DMZ and assigned non-routable IP addresses.
NAT is then used to manage and direct the traffic flow to/from the servers.
@kdearing - This isn't always the case my friend. For systems like Cpanel you CANNOT have a NAT to the server. In fact, most (if not all) the ISP's I have worked for and web hosts have their servers assigned public IP addresses. We used Linux so iptables is what you use to secure servers in combination wit SELinux.

Windows also has it's own firewall as well, so I am not going to go as far as saying "Best Security Practice" because we aren't fully away of his needs and requirements. NAT doesn't have a lot of overhead, but it still takes just a bit of processing power to work so in theory it is "slower" albeit you may not even notice it.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.