freebsd-net Digest, Vol 13, Issue 6

Alex Soares de Moura alex at rnp.br
Sun Jun 22 10:18:12 PDT 2003 

Hello,

A couple of years ago I was one of the networking/security engineers
of a major datacenter company in my country. There goes my $0,02:

1) I find it very trustworthy of yours to share so many info about your
net and systems with the whole Internet, but I'm not sure if it's a good
policy, mainly because it's a business and there's a lot of resources of yours
that many bad hackers would love to put their virtual hands on
(disk space, bandwidth etc.), as anyone seen at the Sysinfo page.

Ok, security thru obscurity is not valid argument among IT security
community, but your customers may not have that knowlegde and
sharing so many info about your net can be bad for [your] business anyways.

Now to your questions.

2) Yes, the proposed architecture will work, although it can have slower
performance than optinal, mainly if there's high traffic load.

3) First, it must be clear that there are the LAN and WAN parts of
your questions to conecern about.

4) You mentioned concert about performance (added latency). I believe that
you were just referring to the LAN, but remember that a firewall in the WAN
connection can (and will) add latency to the overall inbound/outbound Internet
acess. For now it's

5) For the LAN, your network performance and security can improve
and benefit from breaking it down (segmenting) your broadcast domain
into different segments, one for each area and purpose.
You can implement segmenting using only one switch if it supports VLANs.
This will allow you to apply different security policies to each area and
increase
their expandability of them (using more switches in the future), but don't
count
just on VLANs for that. Another advantage about segmenting is that you can
delay the purchase of expensive gigabit switch that can be added later, when
you
see that the network core needs upgrading.

6) Talking about segmenting, you can benefit from a DMZ, where you can put
the DNS, NTP, an external mail hub and other services, separating their
traffic.

7) Storage is another area. Your NFS and backend (database) communication
only needs to happen with your front-end (web)servers, right? Following this
idea,
you can think about putting a separate switch to connect them using a second
network interface in the front-end servers. You can use this seconday LAN for
backup purposes too. The drawback is the increased cost of more NICs.

Best regards,

Alex

----- Original Message ----- 
From: "agent dero" <dero at bluhayz.org>
To: <freebsd-net at freebsd.org>
Sent: Saturday, June 21, 2003 5:41 PM
Subject: Re: freebsd-net Digest, Vol 13, Issue 6


> I am re-organizing my company's network, albeit a small one, but it is still
> very very important.
> I run a small webhosting company, and I am rebuilding the LAN with the idea
> of expandibility.
> the LAN Diagram is here
> http://www.bluhayz.org/~dero/overall_lan.png
> (I apologize for PNG, but that's how AppleWorks wanted to save it.)
>
> Anyways, I am wondering about overall network performance, given that our
net
> connection isn't higher than 45Mbps (burstable connection, yay!)
>
> (All machines are running FreeBSD 4.8-RELEASE)
>
> The plan is to store all user directories, i.e. web sites, on the NFS disk
> server, equipped with a gazillion disk drives, all with RAID0+1, and simply
> running NFS (and of course SSH)
> Then the FTP server(1), the web servers(2 at current point in time) and then
> somewhere in the future, the MySQL servers will all have data stored on the
> NFS server. In addition, the overall workload will be spread across the web
> servers, using BIND's round-robin capability.
> Note: I am planning on upgrading to Gigabit sometime soon.
>
> The question being, how will this network perform, I realize there will be
> increased network traffic, but the two things I am worried about, are
overall
> added latency, and plausibility, i.e. before I buy more hardware, will this
> work!
> The biggest toss-up is the tradeoff between a couple ms of latency, and
> expandibility. According to this current diagram, all we need to do to add a
> new server to help releive load is to add a new Web Server, and configure it
> in the BIND configuration files, and get it to use the NFS server.
>
> Help is not only needed, but appreciated.
>
> thanks!
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list