Date: Sun, 22 Jun 2003 14:17:43 -0300 From: "Alex Soares de Moura" <alex@rnp.br> To: "agent dero" <dero@bluhayz.org> Cc: freebsd-net@freebsd.org Subject: Re: freebsd-net Digest, Vol 13, Issue 6 Message-ID: <016201c338e2$3ed8b620$767ba8c0@freebsd> References: <20030621190121.DA36437B405@hub.freebsd.org> <20030621203103.M9576@bluhayz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, A couple of years ago I was one of the networking/security engineers of a major datacenter company in my country. There goes my $0,02: 1) I find it very trustworthy of yours to share so many info about your net and systems with the whole Internet, but I'm not sure if it's a good policy, mainly because it's a business and there's a lot of resources of yours that many bad hackers would love to put their virtual hands on (disk space, bandwidth etc.), as anyone seen at the Sysinfo page. Ok, security thru obscurity is not valid argument among IT security community, but your customers may not have that knowlegde and sharing so many info about your net can be bad for [your] business anyways. Now to your questions. 2) Yes, the proposed architecture will work, although it can have slower performance than optinal, mainly if there's high traffic load. 3) First, it must be clear that there are the LAN and WAN parts of your questions to conecern about. 4) You mentioned concert about performance (added latency). I believe that you were just referring to the LAN, but remember that a firewall in the WAN connection can (and will) add latency to the overall inbound/outbound Internet acess. For now it's 5) For the LAN, your network performance and security can improve and benefit from breaking it down (segmenting) your broadcast domain into different segments, one for each area and purpose. You can implement segmenting using only one switch if it supports VLANs. This will allow you to apply different security policies to each area and increase their expandability of them (using more switches in the future), but don't count just on VLANs for that. Another advantage about segmenting is that you can delay the purchase of expensive gigabit switch that can be added later, when you see that the network core needs upgrading. 6) Talking about segmenting, you can benefit from a DMZ, where you can put the DNS, NTP, an external mail hub and other services, separating their traffic. 7) Storage is another area. Your NFS and backend (database) communication only needs to happen with your front-end (web)servers, right? Following this idea, you can think about putting a separate switch to connect them using a second network interface in the front-end servers. You can use this seconday LAN for backup purposes too. The drawback is the increased cost of more NICs. Best regards, Alex ----- Original Message ----- From: "agent dero" <dero@bluhayz.org> To: <freebsd-net@freebsd.org> Sent: Saturday, June 21, 2003 5:41 PM Subject: Re: freebsd-net Digest, Vol 13, Issue 6 > I am re-organizing my company's network, albeit a small one, but it is still > very very important. > I run a small webhosting company, and I am rebuilding the LAN with the idea > of expandibility. > the LAN Diagram is here > http://www.bluhayz.org/~dero/overall_lan.png > (I apologize for PNG, but that's how AppleWorks wanted to save it.) > > Anyways, I am wondering about overall network performance, given that our net > connection isn't higher than 45Mbps (burstable connection, yay!) > > (All machines are running FreeBSD 4.8-RELEASE) > > The plan is to store all user directories, i.e. web sites, on the NFS disk > server, equipped with a gazillion disk drives, all with RAID0+1, and simply > running NFS (and of course SSH) > Then the FTP server(1), the web servers(2 at current point in time) and then > somewhere in the future, the MySQL servers will all have data stored on the > NFS server. In addition, the overall workload will be spread across the web > servers, using BIND's round-robin capability. > Note: I am planning on upgrading to Gigabit sometime soon. > > The question being, how will this network perform, I realize there will be > increased network traffic, but the two things I am worried about, are overall > added latency, and plausibility, i.e. before I buy more hardware, will this > work! > The biggest toss-up is the tradeoff between a couple ms of latency, and > expandibility. According to this current diagram, all we need to do to add a > new server to help releive load is to add a new Web Server, and configure it > in the BIND configuration files, and get it to use the NFS server. > > Help is not only needed, but appreciated. > > thanks! > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?016201c338e2$3ed8b620$767ba8c0>