Newbie - Data Center Network setup question Please help.

Hi All,

We have 3 application servers and one database server using Redhat 8.0
with mysql as database. We are trying to secure database server and make
it local to appication server with out connecting to router. Following
is the layout of our datacenter setup of these 4 machines. all servers
have 2 NIC cards and gateway defined on all nic cards is 192.168.1.50
(router). I am able to connect server1,server2 and server3 usint telnet,
VNC etc from my home office but i am not able to access DBserver and
DBserver is not currently accessible from other servers!!. It is Dlink
DFL300 Router which has load balancing and public to private IP mapping
feature.

---------
| Router|192.168.1.50
---------
|
-----------
|Switch1 |
-----------
| | |
192.168.1.10 | 20| -------|192.168.1.30
--------- --------- -|-------
|server1| |server2| |server3|
--------- --------- ---------
192.168.1.11 | 21| |192.168.1.31
| | |------|
-----------
|Switch2 |
-----------
| |
192.168.1.25 | |192.168.1.26
-----------
|DB Server|
-----------


Questions:
1. Is this right way to use 2 switches ? Using switch2 to make dbserver
only accessible to other servers and not from outside world. This is
to secure dbserver.

2. What is wrong ?? i am not able to even ping DBserver from other
servers ?? What should be gateway for DBserver?

check the routes and getways, use ping to analyse and trace the network
response.

if your planing to secure your DB and your network, use ssh instead VNC and
telnet (strongly recomended), do you use firewall?.


--
<? function magic_words(){ include("please"); include("thank_you");}?>

x_sager wrote:

> check the routes and getways, use ping to analyse and trace the network
> response.
>
> if your planing to secure your DB and your network, use ssh instead VNC and
> telnet (strongly recomended), do you use firewall?.
>
We are using VPN + vnc and telnet . WE need to explore using ssh.
Router has following firewall settings .

Detect SYN Attack SYN Flood Threshold Pkts/Sec
Detect ICMP Flood ICMP Flood Threshold Pkts/Sec
Detect UDP Flood UDP Flood Threshold Pkts/Sec
Detect Ping of Death Attack Detect Tear Drop Attack
Detect IP Spoofing Attack Filter IP Route Option
Detect Port Scan Attack Detect Land Attack

If i check box then it will detec respective thing. Is this kind of a
firewall enough or do u recommand some other one.

Thanks for help in advance.

Scan yuor firewall from inet, try nmap -sS -O your_firewall_ip, look for non
used ports
--
<? function magic_words(){ include("please"); include("thank_you");}?>

Linux_Newbie <(E-Mail Removed)> said:
>We have 3 application servers and one database server using Redhat 8.0
>with mysql as database. We are trying to secure database server and make
>it local to appication server with out connecting to router.

Ok.

>Following is the layout of our datacenter setup of these 4 machines.
>all servers have 2 NIC cards and gateway defined on all nic cards is
>192.168.1.50 (router).

This is one of the problems of your set-up. The gateway should be
on the same network where the machine is -- and this isn't true for
the DB server in your case (even though your network numbering
implies it -- but the network numbering is at fault here unless you
do some routing tricks on the application servers.

>I am able to connect server1,server2 and server3 usint telnet,
>VNC etc from my home office but i am not able to access DBserver and
>DBserver is not currently accessible from other servers!

As another person mentioned, telnet isn't that good idea (though
your use of VPN somewhat reduces your risk, I still suggest replacing
the telnet with ssh).

>It is Dlink DFL300 Router which has load balancing and public to
>private IP mapping feature.
>
> ---------
> | Router|192.168.1.50
> ---------
> |
> -----------
> |Switch1 |
> -----------
> | | |
> 192.168.1.10 | 20| -------|192.168.1.30
> --------- --------- -|-------
> |server1| |server2| |server3|
> --------- --------- ---------
> 192.168.1.11 | 21| |192.168.1.31
> | | |------|
> -----------
> |Switch2 |
> -----------
> | |
> 192.168.1.25 | |192.168.1.26
> -----------
> |DB Server|
> -----------
>
>
>Questions:
>1. Is this right way to use 2 switches ? Using switch2 to make dbserver
> only accessible to other servers and not from outside world. This is
>to secure dbserver.

I would choose another network for the interfaces connected to switch2
(f.ex. 192.168.2.x). This should make most of your setup work immediately.
Note that as none of the application servers are set up to route any
traffic between the two networks, you cannot get any network connection
from the router to the db server (and as I understand, this was one of
your goals -- even though you seem to be concerned that you cannot reach
the db server from your home office, so you have conflicting requirements
here if I read correctly).

>2. What is wrong ?? i am not able to even ping DBserver from other
>servers ?? What should be gateway for DBserver?

This is because the other servers route the other network through their
"primary" interfaces, i.e. interfaces connected to switch1. To solve
this, either change the network addresses around switch2 to 192.168.2.x
(this is what I'd recommend as the primary solution), or create point
routes on all the application servers to the db server so that they no
longer route the db server addresses towards switch1.

Then another issue is that if you're attempting to get double the
bandwidth from the db server towards the switch2, you're not going
to get it that way. You'd need to set up a "bonding interface" over
the two regular interfaces -- but this is something you can't do
unless your switch supports it (mostly needs a Cisco or 3Com managed
switch; the unmanaged desktop switches don't have the requisite
functionality).

If you end up in a situation that you don't know what to do with the
"other" interface on the db server, consider connecting it to switch1
(and assign that interface an address on the 192.168.1.x network). Make
the ssh daemon on the db server to listen that interface only - and make
sure no other service on the db server is listening on that interface.
So, now you can access the db server with ssh without needing to log on
to one of the application servers first -- but still you can be assured
that the db service is only available for the application servers.

Also be extremely careful on what you allow through your router.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)