Friday, January 15, 2016

Complicated server/router/firewall question



I think this is a fairly advanced question, I hope someone with experience can help me. Deep breath, here we go:



We're a small, but growing, website that is looking to add another server in so we'll have two: One Web Application server and one Database Server.




We're also looking to get a hardware Firewall.



All standard stuff.



Our servers are hosted by a hosting company (natch) in one of their facilities. We don't own our own box, but instead are simply renting a rack shelf from a company that does. When we get our Firewall and additional server, we'll rent a couple of more shelves.



Pretty straight forward, I guess.



Now it gets a bit more complicated: We need direct access to both servers (ie. for Remote Desktop access, SQL server access, FTP access, etc).




We have our single IP address for the website and, although our connection comes through a router before it reaches our server, we don't have access to it. If I try and navigate to our default gateway I get nothing.



What would be the best way to add a Firewall to our current configuration? We were hoping to be able to get something like a Firebox X1000 cheaply off eBay and take a request for: www.ourdomain.com and forward it to Server A (eg. 192.168.0.10) and a request for server.ourdomain.com and forward it to Server B (eg. 192.168.0.11).



Does this make any sense? Are we going about it the wrong way? Does such an enterprise level Firewall even exist? (As an asidE: 2,000 concurrent sessions is about the maximum we've seen on the site so far, but obviously it would be good to have to grow.)



Thanks for any help, I'm utterly perplexed and the people at Watchguard and Juniper, while being incredibly helpful, can't seem to put my mind at ease.







Update: Thanks to Zoredache and Jesper Mortensen for answering my question in the most straight forward and useful way. I understand a lot more about this whole process now (obviously there's no easy way for a h/w firewall to do what I wanted - and my original request doesn't really make sense now I understand more about layers - doh).



Ultimately, we have decided to use a third server as a Firewall, rather than a dedicated h/w firewall. The reason for this is mainly because it will work out a lot cheaper for us and do exactly the same job. We were already planning on having a third server to collect our own analytics, which we expect this to be a pretty light job (they're triggered on the client and then logged in SQL), so it makes sense for us to move it to the "front" of our configuration and use it as a firewall too.



We'll also probably configure a VPN on it so we can administer the Web App server and DB server that way, rather than directly connecting to them.



This will mean we don't need to buy a h/w firewall or rent an additional rack unit.



The only difference between the recommendations and our solution is that we'll be using Windows Server 2008 instead, because of a) my knowledge of it and b) we get it for free through our BizSpark pack.




Thanks again!



PS - Anyone got any tips for the specs of this new firewall/VPN/(lightweight)SQL server? (A fast processor and a good amount of RAM seems to make sense to me... but what do I know? :)


Answer



Sure it makes sense, and would be pretty easy to do with a Linux-based firewall. Simply setup the Linux box with one interfaces that has the public address, and a second interfaces with a private address.



Then setup a reverse proxy like squid. Squid or whatever reverse proxy you choose can forward http requests to the internal systems based on the host header.



You can use a VPN to the Linux firewall, to get access to most of the other services. I don't think it would be a good idea to have your SQL server directly connected to the internet. If you must access some services you could also use NAT to forward some port you choose to the port on the internal system.



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...