Results 1 to 7 of 7
  1. #1
    Join Date
    Aug 2007
    Location
    Kernel
    Posts
    287

    Which components to buy? Server reboot and hardware firewalls...

    Hi WHT,

    I am really confused now about these components please let me ask to you.

    We will need a firewall and some reboot dongles to reset our webservers from our own coded control panel. We don't like to use nocmonkey or other softwares but we need something that will reboot the server hard..


    We have found www.webresetter.de for hardware reboot of servers. Each jack from 10-15 euro and switch from 40 euro.. Do you have more informations about other companies and products? We don't want IPMI-Cards because we will buy ipKVM later with 16PC connection Avocent.


    And for firewalls, we have 60 mbps connection for now and going up until it reaches 100mbps in total located in a DataCenter here and want to secure our network against, botnet/ddos/dos attacks. Which firewall would you recommend to me? And why did you recommend that one?

    We want to secure our own network in our cabinet and we don't want to use passive mode FTP while securing the network..


    http://www.newegg.com/Product/Produc...82E16833120312
    http://www.newegg.com/Product/Produc...82E16833120072
    http://www.newegg.com/Product/Produc...82E16833120076
    http://www.newegg.com/Product/Produc...82E16833120073
    http://www.newegg.com/Product/Produc...82E16833120074


    Thanks in advance..

  2. #2

    Which components to buy? Server reboot and hardware firewalls...

    Quote Originally Posted by justify View Post
    Hi WHT,

    And for firewalls, we have 60 mbps connection for now and going up until it reaches 100mbps in total located in a DataCenter here and want to secure our network against, botnet/ddos/dos attacks. Which firewall would you recommend to me? And why did you recommend that one?

    Thanks in advance..
    Many hosts on WHT have recommended IntruGuard earlier. Pix is not going to solve your botnet/ddos/dos attacks problems.

    According to Cisco:
    Although firewalls play a critical role in any organization's security solution, they are not purpose-built DDoS prevention devices. In fact, firewalls have certain inherent qualities that impede their ability to provide complete protection against today's most sophisticated DDoS attacks.
    First is location. Firewalls reside too far downstream on the data path to provide sufficient protection for the access link ....,... they are often targeted by attackers who attempt to saturate their session-handling capacity to cause a failure.
    Second is a lack of anomaly detection. Firewalls are intended primarily for controlling access to private networks, and they do an excellent job of that. One way this is accomplished is by tracking sessions initiated from inside (the "clean" side) to an outside service and then accepting only specific replies from expected sources on the ("dirty") outside. However, this does not work for services such as Web, DNS, and other services, which must be open to the general public to receive requests. In these cases, the firewalls do something called opening a conduit-that is, letting HTTP traffic pass to the IP address of the Web server. Although such an approach offers some protection by accepting only specific protocols for specific addresses, it does not work well against DDoS attacks because hackers can simply use the "approved" protocol (HTTP in this case) to carry their attack traffic. The lack of any anomaly-detection capabilities means firewalls cannot recognize when valid protocols are being used as an attack vehicle.
    The third reason firewalls cannot provide comprehensive DDoS protection is a lack of antispoofing capabilities. When a DDoS attack is detected, firewalls can shut down a specific flow associated with the attack, but they cannot perform antispoofing on a packet-by-packet basis to separate good or legitimate traffic from bad-action that is essential for defending against attacks using a high volume of spoofed IP addresses.
    So what you are looking for is not hardware firewalls but hardware DDoS mitigation appliance.

    Hope that helps.

  3. #3
    Join Date
    Aug 2007
    Location
    Kernel
    Posts
    287
    Hello,

    Thank you very much for your reply. Do you think this will solve my botnet/dos attack problems as well? And is it possible to use cisco and this hardware on same part to protect same network?

  4. #4
    Join Date
    Jun 2005
    Posts
    2,574
    For some time now each Dell PowerEdge motherboard comes standard with IPMI (including KVMoIP) and a bunch of sensors as well server monitoring software. I guess there are many other companies selling servers with IPMI on board.
    You will only find out how good a provider is when the going gets tough

  5. #5

    Which components to buy? Server reboot and hardware firewalls...

    Quote Originally Posted by justify View Post
    Hello,

    Thank you very much for your reply. Do you think this will solve my botnet/dos attack problems as well? And is it possible to use cisco and this hardware on same part to protect same network?
    Yes, this will most certainly solve your botnet/dos attacks problems. It is the leading custom DDoS solution. Do your diligence if you desire. You can do a reference check with people listed on the page or read the press releases. They will give you an honest opinion.

    You can use Cisco switches, routers in conjunction with IntruGuard appliances in the network. These appliances are layer 2 transparent bridges and therefore do not require much network setup - they are bump in the wire without a mac or ip address - except an IP for management.

  6. #6
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    No hardware appliance is going to solve DDoS problems if they exceed your line rate capabilities. Protecting against DDoS within the cabinet is much too late. Attacks exceeding 144Kpps are common enough these days, and a well distributed DDoS is very difficult to stop at the source (not that single source is easy; try getting a hold of Chinanet). If DDoS is a large concern, I would look for a datacenter with a true DDoS mitigation offering.

    For smaller attacks, using a server as a firewall is very cost effective solution. CPU's are so fast these days that standard x86 hardware can outperform an ASIC based design. You can spend less money than you would on a dedicated appliance, and easily build two completely beefed up servers, each of which can handle 100Mbps line rate.

    Just don't use Linux/IPTables, due to its linear matching algorithms which don't scale well. I highly recommend a BSD/PF based solution. I haven't used PFSense myself, but I hear that it has a pretty good user interface if you don't have any BSD gurus in-house. With CARP/PFSync, you can achieve higher availability than Cisco HSRP/SSO. I don't believe Intruguard offers any VRRP or stateful failover capabilities, but I'm not familiar with the product so don't quote me on that. However, if I'm correct, then an Intruguard appliance would be a single point of failure.

    There's also more solutions discussed in this thread:
    http://www.webhostingtalk.com/showthread.php?t=647542
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  7. #7
    Quote Originally Posted by hhw View Post
    I don't believe Intruguard offers any VRRP or stateful failover capabilities, but I'm not familiar with the product so don't quote me on that. However, if I'm correct, then an Intruguard appliance would be a single point of failure.
    I know a network admin friend of mine at a large security software company (Nasdaq 100) where IntruGuard appliance has been used for last 2 years without failure. They use this appliance in conjunction with bypass switches which make sure that this appliance is not a single point of failure. Plus the appliance does have intrinsic failover capability.

    Also, they do offer an HA solution with two appliances talking to each other and exchanging states.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •