From: Roland Dobbins (rdobbins@cisco.com)
Date: Sat Jan 26 2008 - 09:07:20 EST
On Jan 24, 2008, at 12:30 PM, Timothy Shea wrote:
> Bullocks. All devices are security devices.
Untrue. Routers, switches, DDoS mitigation devices, traffic
classification tools, et. al. are security devices. Load-balancers
are not security devices, as they instantiate a lot of state in front
of the load-balanced devices, typically rendering them more vulnerable
to DDoS, and all too often are deployed without the additional tools/
techniques required to mitigate the effects of DDoS.
> A load balancer is part of an overall architecture that make up
> part of the service you are trying to provide to your customers.
Security is a function of architecture, yes, of course. They are
inseparable.
> Do tell - explain to me the difference of forwarding a single port
> via a Cisco Content Switch and an ACL for that same port on a Pix
> firewall?
I don't take this as a serious question, so I'm not going to bother
typing out a response.
> What value is that pix firewall really adding? What magical
> inspection is it doing to the http or https data stream? At least
> the load balancer can offload the SSL handshake from the servers.
Why all the vitriol with regards to firewalls? I've said nothing
about them. I'm pretty well-known in the operational community for
pointing out that firewalls are fixed policy enforcement devices, but
that this is *only one aspect of security*, not the be-all/end-all
many seem to believe. I'm an advocate of reaction techniques such as
S/RTBH, which merely rely upon routers and other inherent properties
of the infrastructure.
> I am not saying to exclude the firewall or other tools per the needs
> and requirements of the application - but my point is simple - all
> devices in the chain are part of a complete security architecture
> which is to provide secure and available (key word here!!) access to
> the application in question. I have grown tired of the
> classification of devices as "security" or "non-security".
Again, I find this fixation upon firewalls to be very peculiar, since
I've not mentioned them and in fact believe them to be *vastly*
overrated when compared to other, more fundamental and organic
security tools/techniques.
You're preaching to the choir with regards to the points about
architecture and about the fact that most devices/features/functions/
techniques which can classify and/or manipulate traffic certainly have
security value.
*What I have grown tired of* is the continuing lack of understanding
of the concept of DDoS attacks being attacks against capacity and/or
state, and that instantiating a lot of state in front of a host,
either with a load-balancer or with a firewall, renders said host
*more* vulnerable to the DDoS, not less.
I continue to assert that load-balancers do not have a strong inherent
security value, except in the negative sense when they are deployed
without mitigatory tools/techniques such as stateless ACLs, S/RTBH,
and/or DDoS mitigation systems. I will further assert that routing
techniques such as S/RTBH anycast *do* have inherent security value,
as they are great aids to availability without significant inherent
weaknesses.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT