topic Re: Multihomed Blade Server as Dual Webserver in Operating System - HP-UX

Multihomed Blade Server as Dual Webserver

steve burk_1 — Fri, 04 Sep 2009 19:13:46 GMT

I have a standard blade with 2 nic's. I want to have one webserver use one nic and another webserver use the other. One would go out through one firewall and the other through a different firewall.
Is there anything wrong with this configuration?

Re: Multihomed Blade Server as Dual Webserver

Matti_Kurkela — Sat, 05 Sep 2009 08:47:46 GMT

Yes, there is at least one technical issue: by default, HP-UX network routing selects where to send a packet based on destination address only.

When deciding where to send a packet, the HP-UX system reads the routing table from the beginning to the end. The first matching entry is used; other matching routes are considered only if the first one seems to be failing.

If you set up two default gateways, only one of them (the top-most one in the routing table) will get used. Requests would be coming in through both firewalls, but all responses would be going through just one or the other: a standard case of asymmetric routing. If your firewalls are tracking TCP sessions, they most likely won't like this.

With some advanced configuration, it may be possible to avoid this problem.

Please read this document, particularily from page 10 to the end of the document:

http://mayoxide.com/presentations/Understanding_hpux_routing.pdf

-----------
There is also a security/policy issue: the presence of two different firewalls would indicate that there are two security domains (basically, network segments with their own access control rules).

The standard assumption would be that there is a valid reason for separating things into two security domains. Joining them together with a device that is not a firewall is bad enough, but your device is a web server, which tends to be a very prominent target for attacks by definition.

You're giving the potential intruder a 2-for-1 deal: "choose the weaker firewall and you can bypass the stronger one". Most information security people would not be happy at all to find their security structures undermined like this.

MK

Re: Multihomed Blade Server as Dual Webserver

steve burk_1 — Sat, 05 Sep 2009 16:01:57 GMT

So what you're saying is there should be one blade for one website on port 80?

Re: Multihomed Blade Server as Dual Webserver

steve burk_1 — Sat, 05 Sep 2009 19:15:01 GMT

to fix the routing problem could one do the following:

route add host < blade nic 1>

route add host < blade nic 2>

What do you think??

Re: Multihomed Blade Server as Dual Webserver

Matti_Kurkela — Sun, 06 Sep 2009 06:49:26 GMT

>route add host < blade nic 1>

>route add host < blade nic 2>

With settings like these, only gateway address1 will be used.

Please, *read the document* I linked. It explains a lot better.

MK