Elcom’s Got A New Firewall
We have had this firewall for a little while now, it was only Sunday morning (12am onward) that we were able to install the appliance, as Elcom also acquired its own IPv4 Range, as opposed to using one of ATP’s (Australian Technology Park) range.
The job was huge (and something I am very proud of) as we had the massive tasks of changing all clients DNS both internal and roughly 150-200 External DNS’s, Configuring the firewall and then implementing.
here is a rough plan of how we went about it.
- We first started to collate a list of all domains that we hosted from our IIS servers
- We Then created a script to go through and complete Ping and NSlookup requests against every single domain
- Taking the log file that the script created we then were able to determine what Domains we hosted and had control of the DNS, and also had a list of what we didn’t have control of.
- Before we could go changing DNS’s we needed to ensure that there was no down time for any of the sites, as this we see as not acceptable. So we devised a plan where we would take of our DMZ internal range and give the subnet a 255.255.254.0, which effectively gives us another 0 – 255 set of IP addresses.
- We then set this on the firewall (again no down time was required here) with NAT and changing a few subnet’s
- Now that we had a range that was being routed through the firewall we needed just needed to add them to the interfaces, however we wanted this to have alot more structure and organization for future growth, as the range before was fast becoming outgrown and as a consequence had lost any meaning to what what was and where it was located, so we needed to figure out a mapping plan.
- Now that we had put down what server gets what IP(s) we were ready to start adding the additional internal range to our network interfaces.
- Once this was done we needed once again to put pen to paper… Here we had to analysis the traffic usage for the last 12 – 6 months from clients, this told us who we can put on shared IP and of course who needs to go on a dedicated IP address.
- After this was nutted out we then could go into IIS and then apply the new IP to each web site and host header.
- Only after this was completed on all web servers could we start changing the DNS’s that we had control of
- Once this was completed we ran a ping test on all the domains we had access to change to ensure nothing was missed.
- Once we could ensure that all the DNS’s we had control of were completed, I had the task of coordinating who would contact which client, once I had created this list it was distributed to each member of helpdesk (and myself) and we went calling crazy. This persisted for about 2 solid months of constant calling to get the client to change the DNS. But in the end we got every client over to the new IP range
- Configure the firewall, I undertook this task, because our previous firewall I had inherited when I got to Elcom, and the policy’s I did not agree with, I felt that they were far to open, so being the security conscious person I am, or like to be (most of the time) I really put alot of thought and effort into this firewall. I dislike lots of polices, as it slows down the firewall, its harder for the user to read and understand. So I wanted to condense it but yet has a very secure network, so I created groupings for everything I could think of, Production Web servers, Dev Web servers, ALL web servers, Mail servers, Services, the list goes on and on. But this really made it ALOT easier to put together the polices. With this Being that we could not test the firewall to its full potential before going live, I rechecked and rechecked, I also had Alan recheck the firewall settings. I also did put fail safe policies in place that were more open (these were not active at the time just there as a just in case)
- Now that the firewall was done we needed to do some checking, so Alan setup a 3rrd party app that did monitoring on every single web site through our ADSL connection (external from Elcom) to ensure everything looked healthy from the outside. In addition to this Alan also setup another PC that had all of our external IP address added to the 1 interface of a server, where this would show a message explaining that maintainance was being completed
- We then were ready to rock and roll, so after giving sufficient notice to our clients we changed the firewall over.
As you can see there is a considerable amount of preparation into the whole saga, but all in all it was a very smooth transition with minimal downtime for clients, and now we have a very clean secure firewall, which is now out showing huge network increases. This is mainly due to the fact that now the DMZ (web servers) and the Trust (Database Servers) are on full gigabit links, as the firewall was out bottleneck previously.
We can see that we are now getting about 350MB/S speeds through transferring over the 2 networks, the response times of web sites have decreased by an average of 35milli seconds, Latency has decreased.
as a result of quicker and more secure environment I am now getting more sleep at home now