This is interesting. I'm not really a guru, so if I can restate the
problem, you want to build a server farm of 100s of servers, each secured
by a 'firewall' from each other (and I assume the common uplink), but
capable of passing permitted traffic amongst each other.
I'd recommend two layers of hardware & software here. First, switches that
isolate the trafic from each. For this number, you may have to cascade
switches. I'm not sure VLANS are necessary here. Second, a router or
routers to manage & secure the traffic.
A typical switch will segregate the stream from each port, and can be
configured to direct it to one or more destinations, which could be one or
more ports. These congregated ports can go to routers, which can provide
some of your firewalling via rules. Switches can usually be taught to not
broadcast between ports. You may even need more than one router layer to
do this.
Your problem is similar to a classic web hosting server farm. If you were
doing this, either for web hosting, or other ASP-like activity, I'd do it
with switches, routers, and upstream firewalls. I'd be offering my clients
security from the obvious attacks, recovery from DDOS via monitoring and
blocking, auditing of unusual traffic, and only isolation from neighborhood
hosts at the router level. Little if any traffic should flow from host to
host, since they are primarily servers, and server-to-server traffic should
be minimal. I'd also be looking at a caching appliance pretty quickly,
both to lessen the host loads, and to lessen my intrAnet traffic.
Your LAN might look like this: (fixed width font)
host host host host host host host host
| | | | | |
| |
+----------------------------------------------------------------------------------+
| switch
|
+----------------------------------------------------------------------------------+
| |
+--------------------+
+--------------------+
| router | | router
|
+--------------------+
+--------------------+
| |
+----------------+ +---------------+
| |
+--------------------+
| router | (maybe)
+--------------------+
|
((internet))
This offends my sense of simplicity in a way, but it seems practical. Does
it seem to do the job?
This arrangement also lets you shim in load balancers, etc by programming
routers and forwarding traffic, I think.
As an aside, you can take advantage of the routing layer to offer clients
value adds such as load sharing, caching, etc by forwarding their traffic
differently.
Lastly, where I show router, this could be a layer 3 switch or other
router-like appliance. So many are coming up it's hard to keep up with the
names.
My best idea this early in the morning...
Rick
At 8/5/2000 01:04 AM, Chris Knipe wrote:
>Hi...
>
>I just have a simple question quickly.... (or I hope it will be)...
>
>Technically, as I understand it, specifying a default gateway (or a gateway
>at all) for TCP/IP routing information is irrelvent *IF* the IP addresses
>are located on the same subnet?? Simple scenario...
>
>PC1 <-----> PC2
>
>Both are on the same network, 192.168.1.0/255.255.255.224
>
>Now, in otherwords, PC1 and 2 will know of each other only via ARP cache,
>and thus, will know that they are directly reachable, and thus not use any
>gateway information specified in a routing table? Well, I might be right, I
>might be wrong about this, but the question I have, is a bit more
>complicated...
>
>Say for example, I have a bunch of PCs, all on the same network, all routing
>via one machine (default gateway)... The network can possibly look
>something like this... (192.168.1.0/255.255.255.224)
>
>PC1 PC2 PC3 PC4
> \ | | /
> \ | | /
> ------------------
> |
> GATEWAY
>
>The question is simply, how can I firewall PC1, 2, 3 and 4 from EACH OTHER,
>without subnetting them all. If I subnet it, it firstly would mean that my
>firewall machine would need houndreds of network cards (which is physically
>impossible - seeing im practice, I'm literally talking 100+ computers in
>this farm).... Secondly, data from PC1 directed to PC2 WILL NOT be routed
>by the FIREWLL machine, but will only be broadcasted back to the
>destination, because of the features and workings of UTP HUBs, and TCP/IP
>routing....
>
>So how do I get my gateway machine (firewall) to protect the entire server
>farm from the outside world (this is fairly simple, I just stick a second
>NIC in it and set the firewall up), but also haev the gateway to protect the
>machines from each other INSIDE the firewall?
>
>Why do I want to do this? We plan on setting up a server farm where our
>customers will be able to rent dedicated servers from us for their own
>personal use. Due to the security involved, we need to have all the servers
>in the same server farm, aswell as haev firewall protection for every
>machine in the farm from each other. The firewall rules is not that
>importaint at the moment, because of the fact that the farm will more than
>likely all be protectd by the same rules, as I stated however, the problem
>lies in the matter at which we can go about to implement these rules
>INTERNALLY between the servers in the farm.
>
>As far as I know, it is impossible to do. UTP Hubs broadcast all the
>information received on a port, to all the other ports connected to the same
>hub. Therefor, all the machines on the same hub, will receive the
>information. On the other hand, there are a few places doing things like
>this allready, which means that technically, it MUST be possible...
>
>Can one way of doing this perhaps be in the configuration and layout of the
>physical network (hubs, switches, and cables), perhaps in something like the
>following scenarion....
>
>SERVER SERVER SERVER
> | | |
> HUB HUB HUB
> | | |
> ------------------------
> |
> SWITCH
> |
> GATEWAY
>
>Or will this scenario also allow communications to take place between the
>servers without their data being checked and firewalled by the gateway
>firewall?
>
>ANY help will greately be appreciated, and I look forward to your replies.
>
>Regards,
> Chris Knipe
>Cell: (083) 430-8151
>
>Natural ability has more often attained to glory and virtue, than education
>without natural ability at all.
>
>
>-
>: send the line "unsubscribe linux-net" in
>the body of a message to majordomo@vger.rutgers.edu
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu
