Re: Question re: load balancers as a security device

On Sat, 2008-01-26 at 22:07 +0800, Roland Dobbins wrote:
> *What I have grown tired of* is the continuing lack of understanding  
> of the concept of DDoS attacks being attacks against capacity and/or  
> state, and that instantiating a lot of state in front of a host,  
> either with a load-balancer or with a firewall, renders said host  
> *more* vulnerable to the DDoS, not less.

I agree with you on this point. In my manual testing days, I have taken
down entire data-centers by manipulating the bottleneck/choke-point.

However, classifying devices as security or not security seems like a
wasted effort. Each device has a function; if you have a goal, you can
decide if the function brings you closer to, or further from that goal.

For you metric minded people out there, the new Risk Assessment Values
(RAV's) with the ISECOM's 3.x OSSTMM will really help you measure the
benefits you get by adding or removing a device from your environment.
You can use RAV's pre and post implementation to determine if the
device/function brings any "security" benefit.

Robert

-- 
Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead
http://www.outpost24.com
 
SE Phone: +46 455-61-2320
US Phone: +1 801-924-5902
email: robert@outpost24.com


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------