Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

#4128

Does anyone (Fedor?) have the bandwidth to write up a few notes on VLANs? Specifically what do you want customers to know about AppNexus VLANs and VLAN requests and migrations?

Thanks,
Emily

Hi Emily,

Let's add the following item to questionnaire: "By default, all ports between your NYM1 VLAN and LAX1 VLAN will be open, please specify other rules if necessary. Please take into account that traffic between LAX1 and
NYM1 goes over Internet and isn't encrypted".

Probably we should insert a table for the rules (similar to the existing
one):
Protocol – Source DC – Source Port – Destination DC – Destination Port
– Action

Regards, Vladimir

Tue Jul 15 13:19:10 2008: Request 3655 was acted upon.
Transaction: Ticket created by mnolet
Queue: documentation
Subject: FW: question from customer
Owner: Nobody
Requestors: mike@appnexus.com
Status: new

From: AppNexus PWC Support - Dani Roisman appnexus@peakwebconsulting.com
Sent: Thursday, July 03, 2008 3:11 PM
To: Mike Nolet

The first three of these I posted on the wiki FAQ; the last I posted here if you want to send to the customer who asked the question.

1. Why do you use ACLs instead of a stateful firewall?

Stateful inspection is most useful for protecting outbound traffic, but with hosting, the servers tend to receive traffic instead of initiate it. Also, because we are dealing with an unknown amount of traffic, the ability to scale is very important. Stateful inspection is an expensive task for a device to perform and therefore subject to strict capacity limitations (we're talking sub Gigabit for most firewalls). On the other hand, Cisco routers perform ACL packet filtering at line rate with absolutely no performance hit. So, while stateful inspection is appropriate for small, stable amounts of outbound traffic or for protecting niche pieces of the network, (like e-commerce databases), ACLs are more scalable and efficient for protecting inbound traffic to servers. If a customer still desires a stateful firewall, we can add it for a fee.

2. What are the security implementations at each layer?

Here are the security measures at each relevant layer of the OSI Reference Model:

Layer 1 - (Physical Layer) All your network gear and servers are protected in secure, locked colocation facilities.

Layer 2 - (Data Link Layer) Extensive use of VLANs provides segregation of each customer's traffic from AppNexus traffic and other customers' traffic.

Layer 3 - (Network Layer) Bi-directional ACLs are applied on every routing interface with a Default Deny policy, meaning only explicitly permitted traffic is allowed to pass.

Layer 4 - (Transport Layer) The use of TCP-based protocols provides connection reliability and allows for session protection via ACLs and host firewalling.

Layer 7 - (Application Layer) There is extensive use of encryption (SSH, SSL-VPN) throughout the network.

3. How do you detect, prevent, and manage DDoS attacks and application-level attacks?

Preemptive protection against DDoS attacks is difficult, because we have no way of knowing when, where, or what type to expect. Also, please note that AppNexus does not manage nor monitor the customer's applications (even their OS). That said, in the event of an attack the use of Cisco ACLs allows us to apply deny statements for the source of the attack without affecting performance of the rest of the network. Also, we highly recommend that our customers utilize the F5 server load balancing technology for front-ending their web applications, as the F5s provide built-in DDoS protection when it performs full-proxy session offload.

4. What is the capacity of our VPN hardware?

Currently there is no customer-allocated VPN hardware. If you need VPN capabilities, please let us know and we may be able to provide them to you for a fee.

Cc: Peak Web Consulting
Subject: RE: question from customer

See my inlines..


Dani Roisman
Peak Web Consulting
droisman@peakwebconsulting.com
Office: 818-609-7021 / Cell: 818-481-5581

________________________________
From: AppNexus PWC Support - Carl Tewksbury appnexus@peakwebconsulting.com
Sent: Thursday, July 03, 2008 09:26
To: 'Mike Nolet'
Cc: AppNexus PWC Support
Subject: RE: question from customer

    • Dani, please fill in what I may have missed here (wink) **
  • Why ACLs versus a full stateful Firewall?

Stateful inspection is most useful for protecting outbound initiated traffic as it allows robust protection for ESTABLISHED traffic – such as an office, where users are initiating the traffic. In the hosting world, the servers don't do much initiating, but rather are the recipients. Hence we are dealing with an unknown amount of traffic (internet users) vs. a known amount of user base, in say an office. This leads to the largest issue: scaling. Stateful inspection is an expensive task for a device to perform. Therefore they are subject to strict capacity limitations (we're talking sub Gigabit for most firewalls). Filtering inbound customer traffic through stateful inspection could become quite cumbersome and expensive while the Cisco routers perform ACL packet filtering in hardware at line rate! The bottom line is, ACLs are far more scalable and efficient for protecting inbound traffic to servers, while stateful inspection is appropriate for smaller amounts of outbo!
und traffic or protecting niche pieces of the network, for example ecomm databases.

Dani Carl hit the nail on the head as far as technical reasons – stateful firewalls are considerably more expnesive to scale. The ACLs that you have have absolutely no performance hit - and can be implemented at full "line rate." What I would add here is in the answer to the customer you should indicate that "line-rate basic ACL packet filtering is includded in the current cost, however stateful firewalling can be added for a fee." Sure, you can buy some NetScreen firewalls and provide them as a managed service if a customer desired – you just need to make sure you are compenstated.

  • What are the security implementations at each layer?

Layer 1 - (Physical Layer) - All your network gear and servers are protected in secure, locked collocation facilities.

Layer 2 - (Data Link Layer) - Extensive use of VLANs provides segregation of customer traffic from AppNexus traffic as well as other customers traffic.

Layer 3 - (Network Layer) - Bi-directional ACLs are applied on every routing interface with a Default Deny policy, meaning only explicitly permitted traffic is allowed to pass.

Layer 4 - (Session Layer) - The use of TCP based protocols provides connection reliability and allows for session protection via ACLs and host firewalling.

...

Layer 7 - (Application Layer) - Extensive use of encryption (SSH, SSL-VPN) throughout the network.

Dani Again, spot on (if I understood the customer's question properly).

  • How do we detect, prevent & manage DDoS attacks, and how do we prevent, detect & manage application level attacks

Preemptive protection against DDoS attacks is difficult as we have no way of knowing when/where or what type to expect. The use of Cisco ACLS allows us to leverage the hardware capacity in the event of an attack by applying deny statements for the source of the attack while not affecting performance of the rest of the network. Also, we highly recommend customers utilize the F5 server load balancing technology for front-ending their web applications as they provide built-in DDoS protection.

Dani As Carl said, the F5's offers some built-in DDoS protection when it performs full-proxy session offload. However I would argue that AppNexus does not mange nor monitor the customer's application (not even their OS), so I would say this question is not applicable to the service that AppNexus provides as I know it. AppNexus provides low-level services such as CPU, RAM, storage, Internet pipe, basic packet filtering, and basic server load-balancing. I don't know that AppNexus provides application-level services such as DB table management, SQL procedures, or other application levels (such as PHP).

  • What is the capacity of our VPN hardware?

The VPN hardware in place currently is an SSL-VPN device which was purchased for the purpose of AppNexus management. I would not suggest pitching this device as useable by customers. If the desire for VPN access becomes great enough from customers, I would recommend purchasing a larger, HA pair for this purpose.

Dani Agreed – there is no customer-allocated VPN hardware, the answer to the customer is "what VPN capabilities do you need?" and then we can work on hardware for you, and you can figure out what to charge th customer. To be clear, the current VPN will support 10 connections - it's tiny and was intended for administrative purposes (the only thing you currently need it for is DRAC access).

-Carl

________________________________
From: Mike Nolet mike@appnexus.com
Sent: Wednesday, July 02, 2008 6:20 PM
To: AppNexus PWC Support
Subject: question from customer
Dani, some questions from a customer of ours:

  • Why ACLs versus a full stateful Firewall?
  • What are the security implementations at each layer?
  • How do we detect, prevent & manage DDOS attacks, and how do we prevent, detect & manage application level attacks
  • What is the capacity of our VPN hardware?
  • No labels