I have maintained my servers in an office for many years, but now plan on moving it all to a data center.

At the office most servers are hooked up to a kvm or a makeshift console server made out of an old PM2E. I ssh in from home like everyone else.

Do you use an IP-based kvm or console server to access your servers at your data center or simply use ssh?

I do some basic firewall filtering at my gateway router and each server has some form of firewall.

Do you use a bastion firewall in addition to your servers' firewall? A bastion firewall might take some of the load off your servers, but would introduce a single point of failure. I would think this would be necessary,though, for any cluster with a Windows server. Maybe I should place the bastion firewall only in front of the winbox?

Any thoughts on this?

Thanks.

Money is always an object, I know, but if it fits the budget:

1. KVM/IP is very nice, particularly if you need to access the BIOS or make significant networking changes. It's also quite pricey. :)

2. Absolutely 100% for sure get yourself some type of power outlet with remote reboot capabilities. You can find used APC gear very cheap on eBay, and the ability to reboot a locked-up server is hard to live without.

3. Definitely go with a stand-alone firewall. Most firewall manufacturers these days make firewalls that can be installed in a high-availability configuration where you install two firewalls and the standby firewall watches the active one and takes over in case of failure, thus eliminating your concern for single points of failure. You do have to buy two firewalls, though.

4. IDS/IPS/DDos Prevention devices are becoming more and more commonplace and more and more necessary, although they are still very pricey for a good one. Your datacenter may offer those types of services as well.

Andrew

Good suggestions.

Can you make any recommendations on reasonable price/performance stand-alone firewalls?

Thanks again.

I've always been partial to the Sonicwall Pro series of firewalls, although in the same price range you might also take a look at Netscreen and Watchguard. If you're a Cisco guy, used PIX firewalls can be had for reasonable prices as well.

Andrew

Hi,

I happen to browse through the forum and see this posting. I am also looking for a hardware or software solution to manage the bandwidth that is allocated to us in the datacenter.

I am not sure what is the right name for this "thing" and hope to find some advises and recommendation here.

Bascially, if I have a 10Mbps line in the datacenter and I need to give 2Mbps dedicated to a certain customer/ip address and the rest of it will be shared to all the servers, what kind of hardware or software do i need?

I browse through google and happen to find a softeware called astroflowguard http://www.netsoft.co.za/products.php which seems to do what I need. Anyone used that before?

Hope to have some other recommendation as well!...

Thanks alot.

I've not used astroflowguard, but any decent managed switch can do per-port bandwidth capping, which should be all you need if your particular client can be tied down to one particular port on a switch. Otherwise you might have a look at Packeteer's Packetshaper products: http://www.packeteer.com/prod-sol/products/packetshaper.cfm which are excellent, or also take a look at Foundry's ServerIron productline: http://www.foundrynet.com/products/webswitches/serveriron/index.html

Andrew

Can a managed switch do that? From what I understand it only does bandwidth capping but not dedicate 2Mbps to a particular port, right?

For example, if I get a managed switch, and capped a certain port to 2Mbps, and due to some reasons, my 10Mbps is used up.. Will it still left 2Mbps to that particular port? Or the switch only does "limiting" the port to a certain bandwidth(Up to 2Mbps)?

I hope you understand my question..Sorry i am really new to this and hope to find out more.

Thanks alot

You're correct. Most of your traditional managed switches can only cap bandwidth, not provide QOS type functionality. The higher-end switches and devices like the PacketShaper or ServerIron can do that, though.

Andrew

Hi,

Great..Thanks for your advises. :) Appreciate your help.

PacketShaper is a very good piece of hardware but if you don't need to shape traffic based on file type a managed switch combined with any decent firewall will give you the same functionality and be able to handle a far higher throughput.

additionally the documentation and support for packetshaper assumes you wish to manage a network of users not a network of hardware. The scenarios and tutorial walkthroughs all assume you wish to manage your network by restricting the speed mpeg files can be downloaded and prioritise voip traffic.

If you need the additional functionality and can get through the documentation the system itself is great and very flexible.

I recently moved some servers from a customers home office to our Datacenter in Zurich. We did a sort of Special Setup for him.

KVM over IP are very expensive Solutions atm, we simply put up a Windows Machine for him with an ISDN Card and attached a standard KVM Switch to the Box. That way our Customer can either Use Microsoft RDP (Terminal Services) trough VPN and get into it or if he is somewhere else than at home he can use his Laptop & Mobile Phone to Dial into his Server and Control all of his Machines, its not very fast over ISDN but it does the Job.

The Servers are running a hardened Debian Kernel based on openwall patches and a few others. They have all useless and insecure Services turned off. We dont run local firewall on them. 2 Redundant CISCO PIX 525 are doing all the firewalling. All Traffic goes past these 2 Babies (well one of them in general) we do some Basic QoS so no Server can kill the full Line and we always have enough Speed to use the Basic Services (SSH, SMTP, RDP). DoS Mitigation is done at our Carrier so we dont have to bother with it at all.

Another great Solution for building up Secured Networks are Inkranetworks Products, you can check these out at www.inkranetworks.com. I still prefer CISCO Pix cause of the # of new Connections it can Handle even under Heavy Load but we have some Customers that use Inkra and they are more than happy.

We use Netscreen at the border, Extreme Networks at the middle for QoS (rudimentry.) and SGI and Linux boxes underneeth all that.

APC MasterSwitch outlet control is an ESSENTIAL, agree there!

Lastly, make sure that if you have HA firewalls you have dual redundant network drops, otherwise you still have a SPOF.

Just got off the phone with a tech from firewalls.com. We were talking about SonicWall Pro options.

The lowest-end model that provides failover capabilities is the 2040 ES. Sure, it can handle 32,000 simultaneous TCP connections, but it sells for $2,483!

If you add intrusion prevention for around $800 and an annual support contract for around $300, you're looking at $3,600 for a firewall...

Is this really worth the price??

It is if you need that level of performance. If that's a bit more than you're looking to spend, you might check on eBay for some of the older SonicWall models that still have HA capabilities. You can usually get those used pretty cheaply.

Andrew