From: Luis Cerdas (luis.cerdas@rawten.net)
Date: Wed Aug 27 2003 - 12:01:51 EDT
> However, the F5 and other LBs are NOT security products and thus dont
> contain network/application security features found in other products,
> instead these products cover the Availability of the CIA security
> trilogy.
Actually, Radware's LBs, with their SynApps modules (specifically the
"Application Security" module), provide filtering fw capabilities (src,
dst, src-port, dst-port filtering rules), and can even go up to layer 7
and provide application filtering rules on content delivery; the boxes
also provide (w/ synapps) out of the box packet filtering (through
packet disassembly similar to that used by an IDS) for virtually
anything that you want filtered, and include protection from attacks
like CodeRed, Nimda, and recently, MSBlaster (this security, however,
is not limited only to worms, but virtually any type of IP traffic).
This type of module then provides another layer of protection for the
server farms.
A load balancer can be installed either inline or out-of-path. In the
first scenario, the web servers can be configured with private IP
addresses, and a public, virtual IP (vIP) address can be configured for
the farm; however, the web servers could also have public IP address,
and the farm a public vIP, with the load-balancer acting as a bridge
that redirects the traffic at the MAC layer.
The second scenario, the load-balancer is part of the same public
subnet as the web servers, who each have their own public IP address.
A farm is configured with a vIP belonging to that subnet, and requests
are redirected to the each webserver. In this case, it is possible to
use redirects, or a type of NAT to masquerade the replies as coming
from the vIP of the farm.
When an SSL accelarator is used, it establishes the encrypted channel
with the client, and then can handle two options: 1- an unencrypted
communication channel through which requests are sent to the farm; 2-
an encrypted channel with much lower encryption keys (40/56 bit) to the
farm/web servers.
If the load balancer is deployed as in the second scenario (with or
without the SSL accelerator), depending on the rest filtering rules
leading up to the subnet (probably enforced by a router or firewall),
it is possible to attack the public IP address of each of the
webservers who make up the farm; this is specially true if a server on
the same subnet is compromised and an attack can be launched from there
(email server, for example).
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT