Home page logo
/

basics logo Security Basics mailing list archives

RE: Failover internet connections, and implementation...
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 23 Oct 2007 14:05:44 -0700

  Neither of these will work if you host the company's Internet-
facing servers (web, email) on the network, because DNS entries
(cached all over the place) will still be pointing at your primary
addresses.

  There are special appliances that will compensate for a failed 
ISP link, including serving up DNS with a short TTL and reflecting 
the change.  The more traditional approach is to have dedicated 
routable addressing -- at least for those servers! -- and BGP to 
multiple ISP connections.

David Gillett


-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Dan Denton
Sent: Tuesday, October 23, 2007 11:19 AM
To: security-basics () securityfocus com
Subject: Failover internet connections, and implementation...

I've a question about failover internet connections. I'm 
interesting in knowing what kind of implementations that 
other SMB's use for redundancy, and to switch to in the case 
of a DOS attack. 

Do any of you have redundant highspeed internet connections 
for your offices (versus those for datacenters)? If so, what 
kind of setup do you have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not hooked 
into the network. In the event of a failure, move the 
connection for perimeter devices over to the standby 
connection and reconfigure the perimeter device to use a different IP.

2. Have a second set of perimeter devices (firewalls) 
programmed to use the IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take to 
reconfigure firewalls and IDS' to use the other ISP's 
connection. The problem I have with the second is the expense 
of firewalls and IDS' just sitting there idle. 

Any input is greatly appreciated!


Dan 




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]