Folks, here's the situation:
Two physical servers, running Windows 2008 Enterprise Core & Hyper-V, both have two physical NICs each. Each physical server runs three virtual machines, five of which are Windows 2008 server, and one will be Debian 4.0.
A third physical server is currently under consideration (hardware is on hand) to run Centos 5 and act as backup server (Amanda + Zmanda) for the Hyper-V boxes.
The public institution these are located at will place them outside of the institutional firewall, and any attempts to receive further support from the IT department to secure these machines have been met with "we have no further suggestions for you at this time, thanks for letting us know what you are planing to do though". (I kid you not!)
I'll try to explain the best I can which way these are meant to be set up:
P1 = physical server 1
P1V1 = physical server 1, virtual machine 1
etc.
-P1
--P1V1 - web server (IIS7)
--P1V2 - web application server
--P1V3 - file storage server
-P2
--P2V1 - SQL server
--P2V2 - middleware server (P1V2 <-> P2V1)
--P2V3 - web server (LAMP)
-P3
I know which ports I would like to keep open between machines, and which I would like to keep open to the outside world. I could go all out and create VLANs for some of these virtual machines to completely remove them from the Internet as such, but that's a level of complexity that's may not be necessary.
The IT department offered to assign static IPs, host names, and create all relevant DNS entries for all machines (physical and virtual), so all machines will (can) receive a routable IP.
The network traffic those machines are projected to experience will be low by any standards, both in terms of requests/day as well as MB/day.
The question is, how would I best go about securing this setup? I do have a 1U server I can set up with Centos to act as iptables based firewall, but is that really a good option considering that I don't have all day to babysit my firewall and monkey with it (ok ok, shorewall comes to mind to make things a bit easier).
Should I look into buying a rack-mountable firewall appliance to make my life easier? I was looking into an ASA 5005, and although the licensing scheme is confusing to me, the roughly $1,000 I could probably justify. However, it's not rack-mountable afaik. The Cisco appliances which are rack-mountable are oversized for our needs, and at $3,000+ also over budget.
Any suggestions would be highly appreciated. I am not afraid of iptables, but I do wonder whether over time an appliance would be a more cost effective solution due to easier administration, support, updates, no monkeying with building a custom kernel firewall box, etc. etc.
Thanks for reading!
Two physical servers, running Windows 2008 Enterprise Core & Hyper-V, both have two physical NICs each. Each physical server runs three virtual machines, five of which are Windows 2008 server, and one will be Debian 4.0.
A third physical server is currently under consideration (hardware is on hand) to run Centos 5 and act as backup server (Amanda + Zmanda) for the Hyper-V boxes.
The public institution these are located at will place them outside of the institutional firewall, and any attempts to receive further support from the IT department to secure these machines have been met with "we have no further suggestions for you at this time, thanks for letting us know what you are planing to do though". (I kid you not!)
I'll try to explain the best I can which way these are meant to be set up:
P1 = physical server 1
P1V1 = physical server 1, virtual machine 1
etc.
-P1
--P1V1 - web server (IIS7)
--P1V2 - web application server
--P1V3 - file storage server
-P2
--P2V1 - SQL server
--P2V2 - middleware server (P1V2 <-> P2V1)
--P2V3 - web server (LAMP)
-P3
I know which ports I would like to keep open between machines, and which I would like to keep open to the outside world. I could go all out and create VLANs for some of these virtual machines to completely remove them from the Internet as such, but that's a level of complexity that's may not be necessary.
The IT department offered to assign static IPs, host names, and create all relevant DNS entries for all machines (physical and virtual), so all machines will (can) receive a routable IP.
The network traffic those machines are projected to experience will be low by any standards, both in terms of requests/day as well as MB/day.
The question is, how would I best go about securing this setup? I do have a 1U server I can set up with Centos to act as iptables based firewall, but is that really a good option considering that I don't have all day to babysit my firewall and monkey with it (ok ok, shorewall comes to mind to make things a bit easier).
Should I look into buying a rack-mountable firewall appliance to make my life easier? I was looking into an ASA 5005, and although the licensing scheme is confusing to me, the roughly $1,000 I could probably justify. However, it's not rack-mountable afaik. The Cisco appliances which are rack-mountable are oversized for our needs, and at $3,000+ also over budget.
Any suggestions would be highly appreciated. I am not afraid of iptables, but I do wonder whether over time an appliance would be a more cost effective solution due to easier administration, support, updates, no monkeying with building a custom kernel firewall box, etc. etc.
Thanks for reading!