Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question re: load balancers as a security device

from [David Glosser] Network Security [Permanent Link]
Subject: Re: Question re: load balancers as a security device
Date: Tue, 22 Jan 2008 12:31:44 -0800 (PST) 
-Sounds like employees at the ISP have access to those servers, and by 
extension, could get into your network. 
-Many ISPs have "service" networks for backups and management - what if a 
server on the same backup segment has a virus and infects your machine and then 
jumps into your corporate address space? 

-Unless the load balancers are doing some sort of filtering, it seems that the 
machines are being touched -- The load balancers  basically deciding WHICH 
machine  will be accessed, and pass everything, such as through the injection 
attempts,  to the web server behind it.... 





----- Original Message ----

From: "dan.tesch@comcast.net" <dan.tesch@comcast.net>
To: pen-test@securityfocus.com
Sent: Tuesday, January 22, 2008 10:05:28 AM
Subject: Question re: load balancers as a security device

I'm new to a company that has a large number of sites parked on
managed


 servers at a hosting facility - the servers, firewalls and

load


 balancers are exclusive to our use but managed by the ISP.


In reviewing our site design I have seen that the VPN between our
LAN


 and the hosting facility permits all IP traffic in both directions

-


 effectively making these public facing servers part of our LAN in

my


 opinion.


For obvious reasons I'm looking to change this.  Nobody is
lobbying


 against the change but a senior developer that was involved in

the


 original design points out that because of the load balancers in front of

the


 servers, the world at large is not able to touch the machines and

thus


 the potential for compromise is limited.


Could I get some comments from this community about how vulnerable
or


 not this type of setup might be? I'm looking for specific info

related


 to the load balancers not commentary about the corporate LAN in

this


 situation - even if the combination of the firewalls and load

balancers


 provide 99.9% protection I think it is a bad idea and would most

likely


 not pass PCI scrutiny.


Thanks

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------






------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Question re: load balancers as a security device, Justin Ferguson
Next by Date:  Re: Oracle URL SQL Injection issue, Joxean Koret
Previous by Thread:  Re: Question re: load balancers as a security device, Dotzero
Next by Thread:  Ultra VNC-3DES-is it secure, pentestr
Indexes:  [Date] [Thread] [Top] [All Lists]