HPE Community
Operating System - HP-UX
1833772 Members
2150 Online
110063 Solutions
New Discussion

Multihomed Blade Server as Dual Webserver

 
steve burk_1
Occasional Advisor

‎09-04-2009 12:13 PM

‎09-04-2009 12:13 PM

Multihomed Blade Server as Dual Webserver

I have a standard blade with 2 nic's. I want to have one webserver use one nic and another webserver use the other. One would go out through one firewall and the other through a different firewall.
Is there anything wrong with this configuration?
0 Kudos
Reply
4 REPLIES 4
Matti_Kurkela
Honored Contributor

‎09-05-2009 01:47 AM

‎09-05-2009 01:47 AM

Re: Multihomed Blade Server as Dual Webserver

Yes, there is at least one technical issue: by default, HP-UX network routing selects where to send a packet based on destination address only.

When deciding where to send a packet, the HP-UX system reads the routing table from the beginning to the end. The first matching entry is used; other matching routes are considered only if the first one seems to be failing.

If you set up two default gateways, only one of them (the top-most one in the routing table) will get used. Requests would be coming in through both firewalls, but all responses would be going through just one or the other: a standard case of asymmetric routing. If your firewalls are tracking TCP sessions, they most likely won't like this.

With some advanced configuration, it may be possible to avoid this problem.

Please read this document, particularily from page 10 to the end of the document:

http://mayoxide.com/presentations/Understanding_hpux_routing.pdf

-----------
There is also a security/policy issue: the presence of two different firewalls would indicate that there are two security domains (basically, network segments with their own access control rules).

The standard assumption would be that there is a valid reason for separating things into two security domains. Joining them together with a device that is not a firewall is bad enough, but your device is a web server, which tends to be a very prominent target for attacks by definition.

You're giving the potential intruder a 2-for-1 deal: "choose the weaker firewall and you can bypass the stronger one". Most information security people would not be happy at all to find their security structures undermined like this.

MK
MK
0 Kudos
Reply
steve burk_1
Occasional Advisor

‎09-05-2009 09:01 AM

‎09-05-2009 09:01 AM

Re: Multihomed Blade Server as Dual Webserver

So what you're saying is there should be one blade for one website on port 80?
0 Kudos
Reply
steve burk_1
Occasional Advisor

‎09-05-2009 12:15 PM

‎09-05-2009 12:15 PM

Re: Multihomed Blade Server as Dual Webserver

to fix the routing problem could one do the following:

route add host < blade nic 1>

route add host < blade nic 2>

What do you think??
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎09-05-2009 11:49 PM

‎09-05-2009 11:49 PM

Re: Multihomed Blade Server as Dual Webserver

>route add host < blade nic 1>

>route add host < blade nic 2>

With settings like these, only gateway address1 will be used.

Please, *read the document* I linked. It explains a lot better.

MK
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.