From: David Glosser (david_glosser@yahoo.com)
Date: Tue Jan 22 2008 - 15:31:44 EST
-Sounds like employees at the ISP have access to those servers, and by extension, could get into your network.
-Many ISPs have "service" networks for backups and management - what if a server on the same backup segment has a virus and infects your machine and then jumps into your corporate address space?
-Unless the load balancers are doing some sort of filtering, it seems that the machines are being touched -- The load balancers basically deciding WHICH machine will be accessed, and pass everything, such as through the injection attempts, to the web server behind it....
----- Original Message ----
> From: "dan.tesch@comcast.net" <dan.tesch@comcast.net>
> To: pen-test@securityfocus.com
> Sent: Tuesday, January 22, 2008 10:05:28 AM
> Subject: Question re: load balancers as a security device
>
> I'm new to a company that has a large number of sites parked on
> managed
>
servers at a hosting facility - the servers, firewalls and
> load
>
balancers are exclusive to our use but managed by the ISP.
>
> In reviewing our site design I have seen that the VPN between our
> LAN
>
and the hosting facility permits all IP traffic in both directions
> -
>
effectively making these public facing servers part of our LAN in
> my
>
opinion.
>
> For obvious reasons I'm looking to change this. Nobody is
> lobbying
>
against the change but a senior developer that was involved in
> the
>
original design points out that because of the load balancers in front of
> the
>
servers, the world at large is not able to touch the machines and
> thus
>
the potential for compromise is limited.
>
> Could I get some comments from this community about how vulnerable
> or
>
not this type of setup might be? I'm looking for specific info
> related
>
to the load balancers not commentary about the corporate LAN in
> this
>
situation - even if the combination of the firewalls and load
> balancers
>
provide 99.9% protection I think it is a bad idea and would most
> likely
>
not pass PCI scrutiny.
>
> Thanks
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT