Co-locating - securing my server

phykell · 26 Jan 2006 at 13:22

I'm worried about my server. It's co-located and there's no firewall protecting it other than a software one. The interesting thing is that it uses a remote access controller (a DRAC/4i) which has its own IP address and while the server itself is just fine, I can't access my DRAC anymore; it complains of too many user sessions though no-one is logged on. I don't know if it's a simple DoS attack or what but while my server's IP addresses (it has two NICs) are stealthed, I can certainly ping my DRAC. So...

How best to secure this server and its DRAC?

This is especially important if I install another server as well which I probably will soon. Ideally, I want an email server, and a backup/web server but that would be 6 NICs in total, two of which can't be stealthed.

Is it worth investing in a decent firewall and if so, which one?

How about the Cisco PIX 501?

What should I do about so many NICs. Will I need to buy a decent switch as well and if so, how would a PIX 501 or similar, be used with a switch?

Can anyone recommend any reading material on this sort of subject?

Thanks for looking

phykell · 26 Jan 2006 at 13:42

Skilldibop said:
That smacks of a connection that hasn't dropped properly and although there's nothing connected it thinks it still has a secure session connected.

Yes, I'm not very impressed with the DRAC at all. I think there must be a problem with it to fail such a basic requirement as timing out dropped sessions in a reasonable amount of time. As it is, I've left it overnight and it still complains that there are too many open sessions to connect to it.

phykell · 26 Jan 2006 at 14:35

derfderfley said:
The Pix is a firewall not a switch, and there is certainly and argument for keeping the two devices separate even if you do have enough ethernet interfaces available on the firewall.

Sorry, I might have misled you. It has a 4 port switch built-in which would be ideal for one server with three NICs (including the DRAC) but I have at least one other server which I will wish to colocate as well. I'm guessing therefore, that I will need to connect my server(s) to a multi-port switch and the switch to the PIX firewall. Does that sound sensible?

derfderfley said:
A quick look on the cisco site suggest you'd be looking at either a 515E or 525 to get wire speed throughput out of a 100mb external connection.

Damn, I thought that might be the case, so I'm really looking at something better than a PIX 501 then unfortunately though I will only be accessing my servers via the internet so I won't need wire-speed. I guess the 501 would be suitable for a single server but for several, say five or six, I'm better investing in something quicker?

derfderfley said:
The 515E been rated at 188mbps and the 525 been 330mbps. It may not sound important but the 501/3 only have a throughput of 60/100mbps respectively, and you don't want the firewall to be choke point on the network.

Proper money then?

derfderfley said:
Cisco switches? well a Cat 2960 would probably be overkill so maybe a Cat 500?

Is there much difference in switches? I thought I might as well go for a rack mount 24 port unit.

derfderfley said:
One advantage of a firewall in front of your co-lo equipment is you can set it all up so that all admin is done via a secure VPN connection, rather than having your DRAC on a publicly accessible IP.

Sounds ideal, so any of the PIX series will allow me to do this?

derfderfley said:
At the end of the day, it's not going to be cheap, less so if you require someone to either set-up or manage the firewall for you.

Do you have a budget in mind ?

The budget is quite tight but if I have to pay to get decent throughput and security, then I'll have to bite the bullet I guess.

phykell · 26 Jan 2006 at 15:51

Wyvern971 said:
Possible wouldn't see a problem in a SOHO environment, what throughput do you need?

My server(s) is colocated and there are now three people using it but we're using it for all sorts now including hosting a web site, backups and various development work. Recently I put an email server on it as well and so the server is at the point where it's doing too much really and another server needs to be connected.

Wyvern971 said:
Depending on how much you want to spend and the features you need if you only need a switch with minimal management functions then a 3Com may suit you fine. I guess this also depends on how much space you have at the co-location (the company I work for rents them out per half rack)

Interesting. How much does a rented one work out at approximately then? I've never thought of asking my host about it...

Wyvern971 said:
All PIX firewalls support the VPN function however you will need a license to unlock this feature (DES 3DES and AES are supported) got the matrix of throughputs at home somewhere

There seems to be a few PIX firewalls for auction and I'm just wondering if it might be simpler just to use one PIX 501 per server's three NICs if I can get the PIX 501s cheap enough...

phykell · 26 Jan 2006 at 15:53

Skilldibop said:
you will need wire speed 'cos if you implement a hardware firewall in order to not completely compromise it ALL traffic to the server needs to go through it. If you have 100Mbit connection to the net, pointless wasting any of it. Let alon 40% as with the 501. Depending on how you want to do it and what OS your server runs you can either establish a logical level VPN with the firewall and then worry about connecting to the server. Or if you run Server2003/2000 (there are others, just this is the only ones i've used for this) you can set up application layer VPN where the server itself is the end point, thus the firewall needs only support VPN pass through.
All that said i'd be confident the PIX series do have VPN capability, and the lower down the OSI model your security comes in, the harder it is to get around.
I'd trust my VPN more willingly to Cisco than to microsoft.

Cisco Cat 2924 XL supports VLANs and can take an IP address for remote telnet config, tbh you don't really want anything

Thanks, this is all very useful information

phykell · 27 Jan 2006 at 09:21

I just want to say thanks to everyone for all the advice

And now I'll ruin your day with a really poor joke so apologies up front

The good news is that the Dell Remote Access Controller is now up and running again after a reboot which closed the open sessions and a very slow and scary firmware update which seemed to fix the slow communication. I guess it goes to show that a mistake in the UART can kill a DRAC!