Failover internet connections, and implementation...

I've a question about failover internet connections. I'm
interesting in
knowing what kind of implementations that other SMB's use
for redundancy,
and to switch to in the case of a DOS attack. 

Do any of you have redundant highspeed internet connections
for your offices
(versus those for datacenters)? If so, what kind of setup do
you have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not
hooked into the
network. In the event of a failure, move the connection for
perimeter
devices over to the standby connection and reconfigure the
perimeter device
to use a different IP.

2. Have a second set of perimeter devices (firewalls)
programmed to use the
IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take
to reconfigure
firewalls and IDS' to use the other ISP's connection. The
problem I have
with the second is the expense of firewalls and IDS' just
sitting there
idle. 

Any input is greatly appreciated!


Dan 

An option is if the internet provider supports BGP IIRC you
can do load
balancing on 2 internet connections or buy a SMB hardware
that will do
connection fail over. (roughly <$85)

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Dan Denton
Sent: Tuesday, October 23, 2007 2:19 PM
To: security-basicssecurityfocus.com
Subject: Failover internet connections, and
implementation...

I've a question about failover internet connections. I'm
interesting in
knowing what kind of implementations that other SMB's use
for
redundancy,
and to switch to in the case of a DOS attack. 

Do any of you have redundant highspeed internet connections
for your
offices
(versus those for datacenters)? If so, what kind of setup do
you have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not
hooked into the
network. In the event of a failure, move the connection for
perimeter
devices over to the standby connection and reconfigure the
perimeter
device
to use a different IP.

2. Have a second set of perimeter devices (firewalls)
programmed to use
the
IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take
to
reconfigure
firewalls and IDS' to use the other ISP's connection. The
problem I have
with the second is the expense of firewalls and IDS' just
sitting there
idle. 

Any input is greatly appreciated!


Dan 




------------------------------------------------------------
--------------------------------------------
This message and any files transmitted with it are
confidential and
intended solely for the use of the individual or entity to
whom it is
addressed. It may contain sensitive and private proprietary
or legally
privileged information. No confidentiality or privilege is
waived or
lost by any mistransmission. If you are not the intended
recipient,
please immediately delete it and all copies of it from your
system,
destroy any hard copies of it and notify the sender. You
must not,
directly or indirectly, use, disclose, distribute, print, or
copy any
part of this message if you are not the intended recipient.

FXDirectDealer, LLC reserves the right to monitor all e-mail

communications through its networks. Any views expressed in
this 
message are those of the individual sender, except where the

message states otherwise and the sender is authorized to
state them.

Unless otherwise stated, any pricing information given in
this message
is indicative only, is subject to change and does not
constitute an
offer to deal at any price quoted. Any reference to the
terms of
executed transactions should be treated as preliminary only
and subject
to our formal confirmation. FXDirectDealer, LLC is not
responsible for any
recommendation, solicitation, offer or agreement or any
information
about any transaction, customer account or account activity
contained in
this communication.

 We use a dual-WAN router (in front of our firewall) from
PePLink
(www.peplink.com) with 2 T1s.  I had a DSL backup before we
got our
second T1 and it worked well.

I can also do some traffic shaping (send SMTP through the
backup and all
HTTP/S through the primary) so that we're not trying to
stuff everything
down one pipe.

outbound failover is pretty much automatic, but inbound
takes some doing
(server mappings, etc) but it's not too difficult.


 
Thanks,
Joe

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Dan Denton
Sent: Tuesday, October 23, 2007 2:19 PM
To: security-basicssecurityfocus.com
Subject: Failover internet connections, and
implementation...

I've a question about failover internet connections. I'm
interesting in
knowing what kind of implementations that other SMB's use
for
redundancy, and to switch to in the case of a DOS attack. 

Do any of you have redundant highspeed internet connections
for your
offices (versus those for datacenters)? If so, what kind of
setup do you
have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not
hooked into the
network. In the event of a failure, move the connection for
perimeter
devices over to the standby connection and reconfigure the
perimeter
device to use a different IP.

2. Have a second set of perimeter devices (firewalls)
programmed to use
the IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take
to
reconfigure firewalls and IDS' to use the other ISP's
connection. The
problem I have with the second is the expense of firewalls
and IDS' just
sitting there idle. 

Any input is greatly appreciated!


Dan 



------------------------------------------------------------
------------------------------------
This email is confidential and is intended only for the
receiving party.

Hi David

Checking www.gta.com

GB-OS offers the use of up to six multiple Internet
connections over
multiple physical interfaces or virtual gateways over a
single interface,
with enhanced gateway failover features and outbound
bandwidth sharing (load
balancing).


Regard best.

Wilson Mosquera
TECNOAV


-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Dan Denton
Sent: Tuesday, October 23, 2007 1:19 PM
To: security-basicssecurityfocus.com
Subject: Failover internet connections, and
implementation...

I've a question about failover internet connections. I'm
interesting in
knowing what kind of implementations that other SMB's use
for redundancy,
and to switch to in the case of a DOS attack. 

Do any of you have redundant highspeed internet connections
for your offices
(versus those for datacenters)? If so, what kind of setup do
you have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not
hooked into the
network. In the event of a failure, move the connection for
perimeter
devices over to the standby connection and reconfigure the
perimeter device
to use a different IP.

2. Have a second set of perimeter devices (firewalls)
programmed to use the
IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take
to reconfigure
firewalls and IDS' to use the other ISP's connection. The
problem I have
with the second is the expense of firewalls and IDS' just
sitting there
idle. 

Any input is greatly appreciated!


Dan 

We use the Fatpipes mpvpn to load balance 3 internet
connections coming
on on different media (fiber, copper cable) They work great.
 Remember
if you have an external services (mail, web, etc) you will
need to
address dns issues if you manual change isp's. The fatpipes
cover this
for you. Their support is great, we have been running 2 for
redundancy
for over 3 years now with no issues.
http://www
.fatpipeinc.com/mpvpn/index.html



-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Dan Denton
Sent: Tuesday, October 23, 2007 2:19 PM
To: security-basicssecurityfocus.com
Subject: [SPAM] - Failover internet connections, and
implementation... -
Bayesian Filter detected spam

I've a question about failover internet connections. I'm
interesting in
knowing what kind of implementations that other SMB's use
for
redundancy,
and to switch to in the case of a DOS attack. 

Do any of you have redundant highspeed internet connections
for your
offices
(versus those for datacenters)? If so, what kind of setup do
you have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not
hooked into the
network. In the event of a failure, move the connection for
perimeter
devices over to the standby connection and reconfigure the
perimeter
device
to use a different IP.

2. Have a second set of perimeter devices (firewalls)
programmed to use
the
IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take
to
reconfigure
firewalls and IDS' to use the other ISP's connection. The
problem I have
with the second is the expense of firewalls and IDS' just
sitting there
idle. 

Any input is greatly appreciated!


Dan 

Compare those costs to the cost of the service outage.  Your
business  
will dictate how long of an outage it can sustain.  Don't
forget to  
include the expense to restore service such as possibly the
cost for  
a technician and associated costs as travel time and
expenses.

On Oct 23, 2007, at 2:18 PM, Dan Denton wrote:

> I've a question about failover internet connections.
I'm  
> interesting in
> knowing what kind of implementations that other SMB's
use for  
> redundancy,
> and to switch to in the case of a DOS attack.
>
> Do any of you have redundant highspeed internet
connections for  
> your offices
> (versus those for datacenters)? If so, what kind of
setup do you have?
>
> Here's the setups I'm considering...
>
> 1. Have a second cable modem/dsl modem active, but not
hooked into the
> network. In the event of a failure, move the connection
for perimeter
> devices over to the standby connection and reconfigure
the  
> perimeter device
> to use a different IP.
>
> 2. Have a second set of perimeter devices (firewalls)
programmed to  
> use the
> IP's on the second connection, as a hot standby.
>
> My problem with the first option is the time it would
take to  
> reconfigure
> firewalls and IDS' to use the other ISP's connection.
The problem I  
> have
> with the second is the expense of firewalls and IDS'
just sitting  
> there
> idle.
>
> Any input is greatly appreciated!
>
>
> Dan
>
>
>

  Neither of these will work if you host the company's
Internet-
facing servers (web, email) on the network, because DNS
entries
(cached all over the place) will still be pointing at your
primary
addresses.

  There are special appliances that will compensate for a
failed 
ISP link, including serving up DNS with a short TTL and
reflecting 
the change.  The more traditional approach is to have
dedicated 
routable addressing -- at least for those servers! -- and
BGP to 
multiple ISP connections.

David Gillett


> -----Original Message-----
> From: listbouncesecurityfocus.com 
> [mailto:listbouncesecurityfocus.com] On Behalf Of Dan
Denton
> Sent: Tuesday, October 23, 2007 11:19 AM
> To: security-basicssecurityfocus.com
> Subject: Failover internet connections, and
implementation...
> 
> I've a question about failover internet connections.
I'm 
> interesting in knowing what kind of implementations
that 
> other SMB's use for redundancy, and to switch to in the
case 
> of a DOS attack. 
> 
> Do any of you have redundant highspeed internet
connections 
> for your offices (versus those for datacenters)? If so,
what 
> kind of setup do you have?
> 
> Here's the setups I'm considering...
> 
> 1. Have a second cable modem/dsl modem active, but not
hooked 
> into the network. In the event of a failure, move the 
> connection for perimeter devices over to the standby 
> connection and reconfigure the perimeter device to use
a different IP.
> 
> 2. Have a second set of perimeter devices (firewalls) 
> programmed to use the IP's on the second connection, as
a hot standby.
> 
> My problem with the first option is the time it would
take to 
> reconfigure firewalls and IDS' to use the other ISP's 
> connection. The problem I have with the second is the
expense 
> of firewalls and IDS' just sitting there idle. 
> 
> Any input is greatly appreciated!
> 
> 
> Dan 
> 
> 

I have yet to see a SMB use redundant ISP links. 
However...

With a Cisco ASA 5505 you could have redundant ISP links for
not that 
much money.

An SLA will monitor the health of the primary link, and in
case it goes 
down, will automatically switch to the other link.  It can
even be a 
different interface with a different public IP address.  The
default 
gateway to the internet will be automatically populated in
the routing 
table.

Anthony



Dan Denton wrote:
> I've a question about failover internet connections.
I'm interesting in
> knowing what kind of implementations that other SMB's
use for redundancy,
> and to switch to in the case of a DOS attack. 
>
> Do any of you have redundant highspeed internet
connections for your offices
> (versus those for datacenters)? If so, what kind of
setup do you have?
>
> Here's the setups I'm considering...
>
> 1. Have a second cable modem/dsl modem active, but not
hooked into the
> network. In the event of a failure, move the connection
for perimeter
> devices over to the standby connection and reconfigure
the perimeter device
> to use a different IP.
>
> 2. Have a second set of perimeter devices (firewalls)
programmed to use the
> IP's on the second connection, as a hot standby.
>
> My problem with the first option is the time it would
take to reconfigure
> firewalls and IDS' to use the other ISP's connection.
The problem I have
> with the second is the expense of firewalls and IDS'
just sitting there
> idle. 
>
> Any input is greatly appreciated!
>
>
> Dan 
>
>
>
>
>   

On Tue, Oct 23, 2007 at 02:05:44PM -0700, David Gillett
wrote:
>   Neither of these will work if you host the company's
Internet-
> facing servers (web, email) on the network, because DNS
entries
> (cached all over the place) will still be pointing at
your primary
> addresses.
> 

you can change the zone file so that it has a much shorter
timeout-- that
way if there is an outage and you need to change the zone
you can do it with
minimal delay... change it from 3 days down to 30 minutes,
for example, and
your changes should propagate much quicker.

> 
> David Gillett
> 
> 

regards,
J
-- 
http://zoidtechnologies.
com/ -- software that sucks less

You should also be able to setup the second connection and
use both at 
the same time. Then If either of them is having a problem
the traffic 
will use the other one. Look into a device capable of load
balancing two 
connections. Then you are not "wasting" any
equipment as it is actually 
being used to increase your bandwidth.

Larry Offley
www.offley.ca

Dan Denton wrote:
> I've a question about failover internet connections.
I'm interesting in
> knowing what kind of implementations that other SMB's
use for redundancy,
> and to switch to in the case of a DOS attack. 
>
> Do any of you have redundant highspeed internet
connections for your offices
> (versus those for datacenters)? If so, what kind of
setup do you have?
>
> Here's the setups I'm considering...
>
> 1. Have a second cable modem/dsl modem active, but not
hooked into the
> network. In the event of a failure, move the connection
for perimeter
> devices over to the standby connection and reconfigure
the perimeter device
> to use a different IP.
>
> 2. Have a second set of perimeter devices (firewalls)
programmed to use the
> IP's on the second connection, as a hot standby.
>
> My problem with the first option is the time it would
take to reconfigure
> firewalls and IDS' to use the other ISP's connection.
The problem I have
> with the second is the expense of firewalls and IDS'
just sitting there
> idle. 
>
> Any input is greatly appreciated!
>
>
> Dan 
>
>
>
>
>