I am reviewing every single detail (AUP, SLA, contract etc) before I am thinking about colocating my servers. Here is a quoted portion of a AUP regarding the security of a colocated server from a company that I won't name here. Although the company has a pretty good reputation, I just need your input regarding this matter before I talk directly to them.

here is the portion of the quoted AUP.
------------------
The customer is solely responsible for any breaches of security affecting servers under customer control.... the customer is responsible for the cost to rectify any damage done to the customer's server and any other requirement affected by the security breach.
------------------

My questions are: Is this portion of AUP a normal one? who is actually responsible for a security of a colocated server? If the customer is solely and fully responsible for the colocated server, why bother colocate it (other than to have bandwith advantage)? Shouldn't the NOC has some kind of guaranteed security level (firewall, etc) where our colocated server will reside in such that we shouldn't care too much about some hackers breaking the NOC firewall/security to come and screw up our server?

Thank you in advance.

cheers always,
:beer:

Server security is always the responsibility of the customer unless you pay for a firewall service. Most NOC's offer this, although at a premium.

So are you saying this is a normal practice for any NOC? The fact that after talking to several different company offering colocation services, every one of them does guarantee some kind of security protection (even ***** does port monitoring on their dedicated server). That's actually the biggest factor that makes me considering colocation/dedicated server, the security issue more than the bandwith issue.

Anyway, if a NOC offes this firewall service, does it mean we do not have to worry about the security of our servers since the NOC will be responsible for any incoming data packet through their firewall system? I can't imagine a NOC that does not have/offer a firewall system or anykind of security protection.

Last question, how far should a NOC be responsible regarding the security of the servers in their network? I can't still imagine that the security of the servers is solely and fully* the responsibility of the customers! It's just like putting my server at home (except with better connection) which just have basic firewall security protection.

cheers,
:beer:

So are you saying this is a normal practice for any NOC?
yes

Anyway, if a NOC offes this firewall service, does it mean we do not have to worry about the security of our servers since the NOC will be responsible for any incoming data packet through their firewall system?

Having a firewall in place does not mean that your server is secure. I have visited many company sites where they have a dedicated firewall solution but are not secured as they have multiple tunnelled protocols etc. A firewall is only usefull if it is properly managed. It is also worth mentioning that firewalls can not prevent dos attacks or security breaches resulting from poor practice by operators and administrators.

The only way anyone can gaurantee security on your server is if they're the ones managing it. So, yes, it is normal for all NOCs that don't provide management services for the colocated servers.

Firewalls can't totally lock down your box. Think of the firewall that is installed in every car -- it'll prevent an engine fire from coming up into the cabin in most cases, but it won't stop the engine from ending up in your lap if you drive the car into a wall. It's a tool, and tools are limited.

Your average firewall is limited to preventing and allowing access to your server according to certain rulesets. For example, don't let anyone telnet in, but let them access the web server. So, this will generally protect you from people breaking in through telnet, but it won't help you if your web server is insecure. Do you see?

The advantage of co-locating in a NOC is that you're outsourcing all of the NOC functions -- most 'serious' NOCs have redundant power (utility feed, generator, UPS system), redundant A/C, redundant network equipment and connections, and a staff on-site 24/7 that you can have do at least basic things (reboot the server, check to see if a fan is blocked, etc).

You can usually co-locate a single server for anywhere from $100-1500/mo, depending on the NOC you choose.

Compare that to an itemized breakdown of running your own NOC:
1. Install redundant power
$500/mo for generator (or $15000 up front, you pick)
UPS system ($100, assuming basic UPS for one computer)
Wiring/Electrician ($10000, at least to set up)
2. Install redundant A/C
$2000, at least
3. Redundant network equipment and connections
$2000/mo for two T1's from different providers
$5000 for router capable of running BGP to make use of redundant providers
4. $5000/mo to hire a 24/7 crew of NOC monkeys (and I do mean _monkeys_)
And those are only the _obvious_ costs I can think of. There are many hidden costs and extras

Or, you can outsource all that, and pay a NOC to do it for you.

dektong, port monitoring is just a system that monitors if your server is responding or not. It has nothing to do with security. Most NOC's have some sort of monitoring system that will notify them if your server becomes unresponsive.

Your right to a certain extent tabernack, but actually port minotring can have to do with security for instance our nock monitors 24/7 our swiches and watched all trafic going in and out, if we notice a huge unflux on a port such as a ton of traffic going through a port contin. that usually means the servers been compromised security wise, we then alert the customer, and assist them with determining whether their box has been hacked.

As far as a firewall solution, many NOCS dont employee firewall solutions do to the fact that they can restrict to much in other words on servers there is a generic port setup for telnet, ftp, www etc. firewalls leave only the ports you want open open, but lets say you have a customer who has a piece of software running on a non standard port or lets say he changes his ftp to a non standard port, the firewall would not be allow any connections to these ports hence no ftp and no access to the program. The Nocs dont use firewalls as a courtesy to customers actually, firewalls would say NOCS a lot of headaches, but they know that not every customer is going to run their servers according to the firewall rules.

As far as security, the security lies in the dedicated box owners hands, it is your responsibiliity to lock down your box as tight as possible, not that of the NOCS. IF you decide to give your username and password out to many people or you decide to start up anonymous ftp etc... the consequences of such actions should never lie in the hands of the NOC, their there to provide you with bandwidth and the infrustructure and thats it.

I have to start slowing down on my typing and start spelling correctly :(

Charles, I was refering to dektong post of ***** monitoring certain ports on your server. I doubt very much that they would be monitoring the traffic going to and from the port, but more likely just periodicaly attempting to connect to that port to confirm that the server on that port is responding.

When you talk about monitoring switches and such, I'm sure the monitoring is much more elaborate.

Don't werry abot da spellan, I'm not dat greet myselph. :D

Sorry I didnt realize you were talking explicitly about *****...

My bad, I should have clarified!! Not everyone can read minds like me :D I have to start using the Quote button more.