From owner-freebsd-net Sat Sep 30 9:32:53 2000 Delivered-To: freebsd-net@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id CBE6B37B503 for ; Sat, 30 Sep 2000 09:32:50 -0700 (PDT) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id KAA12603; Sat, 30 Sep 2000 10:32:49 -0600 (MDT) Date: Sat, 30 Sep 2000 10:32:49 -0600 (MDT) From: Nick Rogness To: "Chutima S." Cc: freebsd-net@FreeBSD.ORG Subject: Re: How to connect to Internet with 2 ISP. In-Reply-To: <20000930140341.DASZ321.mta03.onebox.com@onebox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 Sep 2000, Chutima S. wrote: > Hi > hello. > > How should I arrange about IP address, routing, DNS, security? Where > should I find these information? The only way to answer this question is to determine your needs. Is redundancy the only concern? Do you want load balancing? One thing is for sure, your probably want to look at some type of dynamic routing protocol. gated can accompish most of your needs (/usr/ports/net/gated), including BGP, which is what most people (99.9%) of people use to peer with other AS's. You will have to work with your ISP's to determine which type of routing options they have available and then building gated to work with that setup (www.gated.org). If, however, your upstreams do not want to do some type of routing, you will be stuck with just using static routes. DNS is pretty straight forward. Have the ISP delegate authority for the reverses (in-addr.arpa) to your DNS server. Get a good naming scheme setup. Designing IP address scheme's is quite involved and is out of scope for this mail. Let your routing decisions play a role in that. Security is such a broad topic, lets look at 2 different areas. The first being network security, have a good firewall (acl) in place to prevent spoofing, route filtering (Don't announce networks you don't own). Determine filtering on your edge (access) layer but minimize on your core...etc,etc. Develop a solid architecture. The Core-Distribution-Access model is used quite often throughout the internet. The second being systems security. Put in place a good Intrusion Detection System. The best in the business right now (IMHO) is snort (www.snort.org) which can do all, if not more, then most of the commercial IDS systems, like ISS,etc...and it takes little load to run a big ruleset (hence the light-weight part of it). Use encryption wherever (or whenever) possible. Little or weak encryption is STILL better than none at all ;-) Buy some books, do some research (Case studies). Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message