On Jan 24, 2008, at 12:30 PM, Timothy Shea wrote:
Bullocks. All devices are security devices.
Untrue. Routers, switches, DDoS mitigation devices, traffic
classification tools, et. al. are security devices. Load-balancers
are not security devices, as they instantiate a lot of state in front
of the load-balanced devices, typically rendering them more vulnerable
to DDoS, and all too often are deployed without the additional tools/
techniques required to mitigate the effects of DDoS.
A load balancer is part of an overall architecture that make up
part of the service you are trying to provide to your customers.
Security is a function of architecture, yes, of course. They are
inseparable.
Do tell - explain to me the difference of forwarding a single port
via a Cisco Content Switch and an ACL for that same port on a Pix
firewall?
I don't take this as a serious question, so I'm not going to bother
typing out a response.
What value is that pix firewall really adding? What magical
inspection is it doing to the http or https data stream? At least
the load balancer can offload the SSL handshake from the servers.
Why all the vitriol with regards to firewalls? I've said nothing
about them. I'm pretty well-known in the operational community for
pointing out that firewalls are fixed policy enforcement devices, but
that this is *only one aspect of security*, not the be-all/end-all
many seem to believe. I'm an advocate of reaction techniques such as
S/RTBH, which merely rely upon routers and other inherent properties
of the infrastructure.
I am not saying to exclude the firewall or other tools per the needs
and requirements of the application - but my point is simple - all
devices in the chain are part of a complete security architecture
which is to provide secure and available (key word here!!) access to
the application in question. I have grown tired of the
classification of devices as "security" or "non-security".
Again, I find this fixation upon firewalls to be very peculiar, since
I've not mentioned them and in fact believe them to be *vastly*
overrated when compared to other, more fundamental and organic
security tools/techniques.
You're preaching to the choir with regards to the points about
architecture and about the fact that most devices/features/functions/
techniques which can classify and/or manipulate traffic certainly have
security value.
*What I have grown tired of* is the continuing lack of understanding
of the concept of DDoS attacks being attacks against capacity and/or
state, and that instantiating a lot of state in front of a host,
either with a load-balancer or with a firewall, renders said host
*more* vulnerable to the DDoS, not less.
I continue to assert that load-balancers do not have a strong inherent
security value, except in the negative sense when they are deployed
without mitigatory tools/techniques such as stateless ACLs, S/RTBH,
and/or DDoS mitigation systems. I will further assert that routing
techniques such as S/RTBH anycast *do* have inherent security value,
as they are great aids to availability without significant inherent
weaknesses.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
