If you've ever wondered how microsoft.com uses our technology then read on. I recently came across some good information from the folks over at the Operations team at Microsoft.com. The thread basically talks about how we use IIS, Firewalls and Windows Server 2008. I think as we come up to launch next year it's a really good and quick insight into what they do and how they do it. So enjoy the reading and let me know what you think..Pretend I've asked about how they protect our sites...
At this point we still don't use firewalls for MS.COM sites and don't have any plans on the books to put them in place. Here is the short answer as to why:
- <>We don't handle HBI data so we don't have the need for external logging capabilities. If we did handle HBI, we'd have firewalls.
- 5+ years ago, there wasn't a firewall solution that would scale to our needs and this forced us to focus on network, host, and application security. Based on the success of that work, we've not looked further at firewalls even though there are solutions that I believe (haven't tested) would handled the traffic load (our non-download based web traffic alone can be in the 8-9 Gbps range and ~30 total for internal hosted traffic).
- We also used NLB for load balancing exclusively up until July 2006 and the micro segmentation of networks required by that solution made firewalls an expensive and very complex solution. Again, especially at the scalability that used to be available.
- Application security is critical since a firewall is likely going to allow traffic on the correct port and protocol through to the web servers so IIS/ASP.NET/Applications must deal with these requests gracefully. I realize there are other options/features of firewalls/IPS that provide other options.
In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in)[...]