Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Question re: load balancers as a security device
From: Timothy Shea <tim () tshea net>
Date: Wed, 23 Jan 2008 22:30:04 -0600

re: Load-balancers aren't security devices, period.

Bullocks. All devices are security devices. A load balancer is part of an overall architecture that make up part of the service you are trying to provide to your customers. Do tell - explain to me the difference of forwarding a single port via a Cisco Content Switch and an ACL for that same port on a Pix firewall? What value is that pix firewall really adding? What magical inspection is it doing to the http or https data stream? At least the load balancer can offload the SSL handshake from the servers.

I am not saying to exclude the firewall or other tools per the needs and requirements of the application - but my point is simple - all devices in the chain are part of a complete security architecture which is to provide secure and available (key word here!!) access to the application in question. I have grown tired of the classification of devices as "security" or "non-security".

t.s

On Jan 22, 2008, at 8:32 PM, Roland Dobbins wrote:


On Jan 22, 2008, at 11:05 PM, <dan.tesch () comcast net> wrote:

Could I get some comments from this community about how vulnerable or not this type of setup might be? I'm looking for specific info related to the load balancers not commentary about the corporate LAN in this situation - even if the combination of the firewalls and load balancers provide 99.9% protection I think it is a bad idea and would most likely not pass PCI scrutiny.

Load-balancers aren't security devices, period. They're load- balancers - that's it. Any protocol/ports you forward to the real servers means that someone can potentially reach out and touch the real servers to whom they happen to be load-balanced.

The public-facing servers should not effective be behind the firewall protecting your desktop LANs, as you indicate. They should be northbound of it, from a logical standpoint.

Furthermore, I'd strongly suggest investing in some DDoS protection for those servers along the lines of iACLs, S/RTBH, and possibly a 'Clean Pipes'-type service from an ISP or your own implementation using traffic scrubbers.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

        Culture eats strategy for breakfast.

          -- Ford Motor Company




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]