Re: Question re: load balancers as a security device

From: Matthew Leeds (mleeds@theleeds.net)
Date: Tue Jan 22 2008 - 14:56:14 EST

• Next message: Justin Ferguson: "Re: Question re: load balancers as a security device"
• Previous message: Israel Ochoa: "RE: Ultra VNC-3DES-is it secure"
• In reply to: dan.tesch@comcast.net: "Question re: load balancers as a security device"
• Next in thread: Justin Ferguson: "Re: Question re: load balancers as a security device"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The answer is, it depends. It depends on the network design and the technology used by the load balancer. For example, a round-robin DNS load balancer offers no security. Sure, one could argue that since you don't expose the host via a public IP address there is no risk. That's not the case. You might want to read:

http://www.networkcomputing.com/1102/1102ws1.html

or if you are a MS shop:

http://www.microsoft.com/downloads/details.aspx?FamilyID=A101CA7D-6FCD-44BF-8BE1-47F1462DCB24&displaylang=en
http://207.46.196.114/WindowsServer/en/Library/fa6ef832-1aa7-472f-b492-0dd3c60bd46d1033.mspx

----------
---Matthew
*********** REPLY SEPARATOR ***********

On 1/22/2008 at 3:05 PM dan.tesch@comcast.net wrote:

>I'm new to a company that has a large number of sites parked on managed
>servers at a hosting facility - the servers, firewalls and load balancers
>are exclusive to our use but managed by the ISP.
>
>In reviewing our site design I have seen that the VPN between our LAN and
>the hosting facility permits all IP traffic in both directions -
>effectively making these public facing servers part of our LAN in my
>opinion.
>
>For obvious reasons I'm looking to change this. Nobody is lobbying
>against the change but a senior developer that was involved in the
>original design points out that because of the load balancers in front of
>the servers, the world at large is not able to touch the machines and thus
>the potential for compromise is limited.
>
>Could I get some comments from this community about how vulnerable or not
>this type of setup might be? I'm looking for specific info related to the
>load balancers not commentary about the corporate LAN in this situation -
>even if the combination of the firewalls and load balancers provide 99.9%
>protection I think it is a bad idea and would most likely not pass PCI
>scrutiny.
>
>Thanks
>
>------------------------------------------------------------------------
>This list is sponsored by: Cenzic
>
>Need to secure your web apps NOW?
>Cenzic finds more, "real" vulnerabilities fast.
>Click to try it, buy it or download a solution FREE today!
>
>http://www.cenzic.com/downloads
>------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Justin Ferguson: "Re: Question re: load balancers as a security device"
• Previous message: Israel Ochoa: "RE: Ultra VNC-3DES-is it secure"
• In reply to: dan.tesch@comcast.net: "Question re: load balancers as a security device"
• Next in thread: Justin Ferguson: "Re: Question re: load balancers as a security device"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT