RE: Securing the Server Farm

Wali,
What business are you in? Designing infrastructure for a web services
provider can be different than designing for a corporate server farm.
Are your IDFs at the edge are upstream to the same provider, or two
different providers? Hopefully, they connect to separate internets.

If you have the capacity on the switches to allow for growth (capacity
planning, include electrical and cooling requirements), you could
connect one NIC of each server to each core switch. The 50 you quote
might be good for now, but you may grow that system to a couple hundred
with blade servers and SAN technology. The question is, can your farm
handle the environmental needs if you do?

For protection, I'd recommend at minimum a stateful in-line firewall
between each core switch and the IDF. Be sure it can handle the
capacity of the uplink without too much of a performance hit.

At least one IPS. The first one passively connected to both core
switches (hint, designate a port on each switch for promiscuous mode,
and connect the IPS there). You should be able to connect one IPS to
both switches and monitor them together.

If you can afford a second one (or two), place them in-line between the
firewall and the IDF. These will be more expensive since they (like the
firewall) have to connect in-line without too much of a performance hit.

In the best scenario, you'll want to know everything attempting to come
in, and what is making it past the firewall.

In overall security, consider this one layer of the multi-layer
approach. Design for securing the hosts, and physical security, and
DRP/BCP as well.

Jay Bowers
Security Analyst

-----Original Message-----
From: WALI [mailto:hkhasgiwale@xxxxxxxxx]
Sent: Wednesday, July 25, 2007 3:33 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Securing the Server Farm

We are in the middle of designing a Network Infratstruture and was
wondering what's the current design improvements I can undertake in
designing the Server farm. Given that there would a Core switch(two for
redundancy) and IDFs for connectiing at the edges. How should I place my
servers (about 50 of 'em).

Should I place them directly on the core and build some L3 access lists
or put another set of L3-L7 switch after the core and connect all my
servers to it?

Can I place an IPS/Firewall in the middle or would that be an overkill?

Pls advise!!

Relevant Pages

  • Re: ConnectComputer Problem
    ... I'm a little confused by your network configuration. ... Switch2 --- SBS Server ... switch has internet access all the time, the second switch has the client ... NICs ...
    (microsoft.public.windows.server.sbs)
  • Re: RDP Connections - Freeze or Reconnect
    ... I immediately swapped the connector and cable out and plugged the cable coming out of the switch into the spare 100mb NIC adapter but still using the connector and extra cable. ... The connection of the 100mb LAN from then on appeared much more stable. ... If I logon and test the RDP connection with a dialup modem through RRAS (Terminal server is also a RAS Server), would you expect it to misbehave if it was I switch problem? ... You mentioned seeing a red X on the server's network connection in an earlier post. ...
    (microsoft.public.windows.terminal_services)
  • Re: DNS Issue(s)
    ... My junk pile has an HP Procurve 12 port switch. ... defragging ancient workstations and the server. ... If a workstation cannot see the server then it cannot resolve a dns ... Find this server's Active Directory replication partners that run the DNS ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange 2000 Server Virtual Memory Fragmentation
    ... If you are running Windows 2000 standard edition, as you cannot use /3 GB ... contributes to this problem quite a bit is incorrect use of the /3GB switch ... Exchange or SQL ServerT or whatever you might have running on your server, ...
    (microsoft.public.exchange2000.information.store)
  • Re: Active Directory New Site
    ... the networks, new subnet object, new site then configure DFS. ... the same server room, appearing to AD as though its remote. ... Switch w/ Replica DFS Store" is a working model or will it just go down like ... VLAN and then physically link into that VLAN somehow? ...
    (microsoft.public.windows.server.active_directory)