September 21st, 2004, 02:46 PM
how to secure and monitor the servers
I would like to ask for your help in setting up the proxy server to protect and to monitor multiple servers of my company
I work as Network Engineer. I want the servers to be stable, and if a server is down, I will be notified accordingly instead of that customers call and tell us;
I wish to know if someone have any experience, ideas that you can share, and any available software or programs that I can use. I ran through the information of ISA server, provided by
Microsoft. ISA can provide us with various number of functions, including monitoring multiple servers, alerting when the server is down, setting up firewalls, access-control list... Moreover, the servers are running on Windows OS, and I think that ISA support Windows (Squid supports Unix OS). However, there is one problem is that ISA is expensive (1500 USD). Thus, I am still considering if
I should recommend ISA to my company.
So, at the moment what software and programs are you using to do the job?
Thanks very much for your reply
September 21st, 2004, 03:16 PM
Without any additional information about your network(s) and the current topology, it's very
hard to say what will work and what won't.
ISA server is a fine product and would work well under most circumstances. I will warn you that
ISA uses MS specific nomenclature that can tend to confuse users new to ISA server.
Configuration can be complicated and community support is hit and miss.
There are many many many free or less expensive alternatives.
For example, http://www.smoothwall.org
Includes proxy, firewall, IDS(basic) and many other features.
Well supported by community forums and mailing lists.
Anyway, how about more detail about your network(s)..??
Also, I use http://www.nagios.org for network and device monitoring. It's free as well.
September 21st, 2004, 03:44 PM
Oh, thanks ss2chef, I'm checking your recommended sites.
My company locates in Singapore, and has its servers put at the SingTel site. Thus, engineers in my company need to do remote control to the servers everyday if they want to check or modify the database, customer database, billing database... Besides the database servers, there are other servers with different functions.
My company is working in the telecommunications field. When customers use the service, the Call Server will check their subscription by looking for their information in the customer database, and so on, ... and then direct the calls to the destination Call Server. Thus, I also need to check the availability of the Call Server. For example, when the Call Server is down, I should be alerted. That is one of the function I'm supposed to design.
I was given the network topology, but the drawing is not very clear. And from the drawing, I know that the network is built as logically bus-topology
Thanks for any comments and help
September 22nd, 2004, 07:14 AM
By the way, my servers are running on Windows platform. Is it recommended that I use ISA Server. Because Smoothwall and Nagios run on Linux / Unix. And, should we install the ISA server/ Smoothwall or Nagios on the servers to be monitored or on another computer and then use that computer to monitor/secure the servers?
Thanks for any help
September 22nd, 2004, 07:22 AM
IPcop is a much more advanced spurr off of smoothwall (although smoothwall is a good peice)
as far as monitoring, I would start with what may already be there, if you have *nix based machines (even your smoothwall or ipcop firewall) you can have syslog send it's logging to a remote machine, there is an excellent windows syslog client out there called the kiwi syslog daemon that will allow you to establish filters and actions (email, sms, page, etc) based on syslog messages. Kiwi is amazingly cheap
theres tons of companies that will scan your site on schedule, and depending on the level they will even go as far as to give you a detailed list of fixes for your flaws
securitymetrics is one of them
in a real world scenario one would have a network zoned typically in three zones -- untrusted (internet) de-militarized zone (public servers) and trusted (internal lan), one or several firewalls would protect and route between these zones. Also one would use access control lists at the routers themselves to control port based access and to act as chokes on the network, dont forget to use egress filtering (block outbound as well as in) as most attacks are caused by lack of egress filtering (if I cant ping out I cant be used to ping flood someone)
Your internal systems would reside of course well protected in the trusted zone, with only necessary connections between the dmz and internet zones, any system with need for public exposure would be placed in the dmz in the event that they were compromised your trusted lan would not be. Everything else is untrusted. As far as monitoring goes, an intrusion detection system such as snort is always a good thing, however it does little good without constant rulebase attention, and good reaction plans. Be sure to place IDS sensors in each zone and customize the ruleset for each as necessary (a sensor in your local zone probably isnt too concerned with standard netbios traffic)
and of course, third party scanning of the perimiter is always nice, even if it's only once a month.
theres your quickie rundown-- scary huh
I\'ll preach my pessimism right out loud to anyone that listens!
I\'m not afraid to be alive.... I\'m afraid to be alone.