[c-nsp] ASA Firewalls placement in the network!
Joe Shen
sj_hznm at yahoo.com.cn
Mon Oct 12 10:46:26 EDT 2009
> Well, the point of a well-maintained server is that it is
> *open* to
> the world - if you want a web server to be visible by the
> world, then
> there isn't much you can do, besides "open HTTP to
> it". And other
> services should not be running in the first place.
Agree. Focusing server resource on its public service and remove all unnecessary should be first consideration other than putting in another box.
> The worst thing you can do is put a stateful firewall in
> front of a
> busy DNS server
Yes. We do suffer from such solution years ago. At that time, when
incoming request increases the firewall we use reaches its threshhold quickly and reject new ones. Now, we just connect DNS servers to cisco 6509 directly, ACL on interface protects server very well.
On the other hand, tuning DNS server performance is relatively easily than application servers. But, it seems there needs new technology or method on detecting and controling abnormal incoming requests.
Months ago, failure of primary DNS server for baofeng.com causes ISP cache server out of resource because too many clients resolve that domain recursively.
Joe
___________________________________________________________
好玩贺卡等你发,邮箱贺卡全新上线!
http://card.mail.cn.yahoo.com/
More information about the cisco-nsp
mailing list