From: Justin Ferguson (jnferguson@gmail.com)
Date: Tue Jan 22 2008 - 15:09:15 EST
On Jan 22, 2008, at 8:05 AM, dan.tesch@comcast.net wrote:
>
> In reviewing our site design I have seen that the VPN between our
> LAN and the hosting facility permits all IP traffic in both
> directions - effectively making these public facing servers part of
> our LAN in my opinion.
>
well wait, please clarify- is VPN access required to access thus
network segment?
>
> [...]
> because of the load balancers in front of the servers, the world at
> large is not able to touch the machines and thus the potential for
> compromise is limited.
>
well the thing is that at least in theory they're not directly
addressable externally, however your load balancer forwards requests
on to the boxes, so the attack surface exists and its not like connect
back shells are uncommon.
Now, depending on how the load balancer works, it may normalize or
sanity check protocol data that causes a bug to be unexploitable from
that side of the network.
I'd be asking how, exactly, this dev came to this conclusion as it
seems like a pretty shaky argument IMHO
>
>
> Thanks
>
> ---
> ---------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ---
> ---------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT