From: Timothy Shea (tim@tshea.net)
Date: Wed Jan 23 2008 - 23:30:04 EST
re: Load-balancers aren't security devices, period.
Bullocks. All devices are security devices. A load balancer is part
of an overall architecture that make up part of the service you are
trying to provide to your customers. Do tell - explain to me the
difference of forwarding a single port via a Cisco Content Switch and
an ACL for that same port on a Pix firewall? What value is that pix
firewall really adding? What magical inspection is it doing to the
http or https data stream? At least the load balancer can offload the
SSL handshake from the servers.
I am not saying to exclude the firewall or other tools per the needs
and requirements of the application - but my point is simple - all
devices in the chain are part of a complete security architecture
which is to provide secure and available (key word here!!) access to
the application in question. I have grown tired of the classification
of devices as "security" or "non-security".
t.s
On Jan 22, 2008, at 8:32 PM, Roland Dobbins wrote:
>
> On Jan 22, 2008, at 11:05 PM, <dan.tesch@comcast.net> wrote:
>
>> Could I get some comments from this community about how vulnerable
>> or not this type of setup might be? I'm looking for specific info
>> related to the load balancers not commentary about the corporate
>> LAN in this situation - even if the combination of the firewalls
>> and load balancers provide 99.9% protection I think it is a bad
>> idea and would most likely not pass PCI scrutiny.
>
> Load-balancers aren't security devices, period. They're load-
> balancers - that's it. Any protocol/ports you forward to the real
> servers means that someone can potentially reach out and touch the
> real servers to whom they happen to be load-balanced.
>
> The public-facing servers should not effective be behind the
> firewall protecting your desktop LANs, as you indicate. They should
> be northbound of it, from a logical standpoint.
>
> Furthermore, I'd strongly suggest investing in some DDoS protection
> for those servers along the lines of iACLs, S/RTBH, and possibly a
> 'Clean Pipes'-type service from an ISP or your own implementation
> using traffic scrubbers.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
>
> Culture eats strategy for breakfast.
>
> -- Ford Motor Company
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT