|
|
|
|
|
|
|
|
|
||
|
|
||
|
Be a Commerce Partner |
The Diameter of Security
Members of the ISP-Security list debate the minimum requirements for designing a secure network. This is a controversial topic and there is no unique correct answer (but everyone knows that the diameter is twice the RADIUS).
| [February 8, 2002] |
 |
On the ISP-Security list in January, PP inquired,
"We are starting a small ISP. We currently have 64 IP addresses, two web servers, one mail server, one RADIUS server, one proxy, one DNS, one RAS, and a firewall. Any suggestions on how to design a secure network?"
A number of respondents suggested that redundancy is key:
[EC offered] "I would recommend two of everything."
[PG agreed] "I'd suggest you rethink having a single RADIUS server, a single DNS server, and a single mail server. At a minimum, I'd suggest finding someone to do secondary DNS and MX for you, and setting up a secondary RADIUS server on one of your machines. These are all critical services that are easily made redundant."
Others offered specific guidance on the network architecture:
[PF observed] "As far as the network goes, I'm fond of a three network architecture, with one network that's external-facing for public services, one meant for staff, and one dedicated to backups. The latter two networks then exist on private address space. I'm also a big proponent of machine-level firewalling in addition to dedicated firewalls."
[AI agreed] "Use the simple approach. Get a firewall. Set up a DMZ [definition]: Web, e-mail, DNS, etc. Set up a local LAN: your workstations, customers, etc. And set up a secure backup system. Then set up an identical system at a different ISP, and run a 'distributed cluster' for redundancy."
Still others looked at outsourcing as a possibility:
[MM advised] "Consider outsourcing your e-mail, DNS, RADIUS, and billing/CRM software: all you'd have to worry about is the network side."
[JI laughed] "Having your billing/RADIUS details stored with another company? Hmm: that doesn't do it for me, security-wise…"
[AI agreed] "Security cannot be outsourced. On the other hand, one must hire outside security experts to analyze and fix the security risks."
[MM explained] "It all depends on whether or not you know what you're doing, which most people don't when it comes to security. What's worse: having your customers' information stored on someone else's servers which are secure, or keeping it in your own network that may or may not be secure?"
—End
| Related articles: | |||
| [July 11, 2001] | ISP-Planet
Survey: Managed Security Service Providers |
||
| [April 11, 2001] | Defying Double Dippers: Funk Concurrency Server | ||
| [Feb. 8, 2001] | The
Remote Access Conundrum Part 3: Dynamic Addressing |
||
ISP-Planet's
RSS feed
