re: Load-balancers aren't security devices, period.
Bullocks. All devices are security devices. A load balancer is part
of an overall architecture that make up part of the service you are
trying to provide to your customers. Do tell - explain to me the
difference of forwarding a single port via a Cisco Content Switch and
an ACL for that same port on a Pix firewall? What value is that pix
firewall really adding? What magical inspection is it doing to the
http or https data stream? At least the load balancer can offload the
SSL handshake from the servers.
I am not saying to exclude the firewall or other tools per the needs
and requirements of the application - but my point is simple - all
devices in the chain are part of a complete security architecture
which is to provide secure and available (key word here!!) access to
the application in question. I have grown tired of the classification
of devices as "security" or "non-security".
t.s
On Jan 22, 2008, at 8:32 PM, Roland Dobbins wrote:
On Jan 22, 2008, at 11:05 PM, <dan.tesch@comcast.net> wrote:
Could I get some comments from this community about how vulnerable
or not this type of setup might be? I'm looking for specific info
related to the load balancers not commentary about the corporate
LAN in this situation - even if the combination of the firewalls
and load balancers provide 99.9% protection I think it is a bad
idea and would most likely not pass PCI scrutiny.
Load-balancers aren't security devices, period. They're load-
balancers - that's it. Any protocol/ports you forward to the real
servers means that someone can potentially reach out and touch the
real servers to whom they happen to be load-balanced.
The public-facing servers should not effective be behind the
firewall protecting your desktop LANs, as you indicate. They should
be northbound of it, from a logical standpoint.
Furthermore, I'd strongly suggest investing in some DDoS protection
for those servers along the lines of iACLs, S/RTBH, and possibly a
'Clean Pipes'-type service from an ISP or your own implementation
using traffic scrubbers.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
