Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Question re: load balancers as a security device
From: Roland Dobbins <rdobbins () cisco com>
Date: Sat, 26 Jan 2008 22:07:20 +0800

On Jan 24, 2008, at 12:30 PM, Timothy Shea wrote:

Bullocks.  All devices are security devices.

Untrue. Routers, switches, DDoS mitigation devices, traffic classification tools, et. al. are security devices. Load-balancers are not security devices, as they instantiate a lot of state in front of the load-balanced devices, typically rendering them more vulnerable to DDoS, and all too often are deployed without the additional tools/ techniques required to mitigate the effects of DDoS.

A load balancer is part of an overall architecture that make up part of the service you are trying to provide to your customers.

Security is a function of architecture, yes, of course. They are inseparable.

Do tell - explain to me the difference of forwarding a single port via a Cisco Content Switch and an ACL for that same port on a Pix firewall?

I don't take this as a serious question, so I'm not going to bother typing out a response.

What value is that pix firewall really adding? What magical inspection is it doing to the http or https data stream? At least the load balancer can offload the SSL handshake from the servers.

Why all the vitriol with regards to firewalls? I've said nothing about them. I'm pretty well-known in the operational community for pointing out that firewalls are fixed policy enforcement devices, but that this is *only one aspect of security*, not the be-all/end-all many seem to believe. I'm an advocate of reaction techniques such as S/RTBH, which merely rely upon routers and other inherent properties of the infrastructure.

I am not saying to exclude the firewall or other tools per the needs and requirements of the application - but my point is simple - all devices in the chain are part of a complete security architecture which is to provide secure and available (key word here!!) access to the application in question. I have grown tired of the classification of devices as "security" or "non-security".

Again, I find this fixation upon firewalls to be very peculiar, since I've not mentioned them and in fact believe them to be *vastly* overrated when compared to other, more fundamental and organic security tools/techniques.

You're preaching to the choir with regards to the points about architecture and about the fact that most devices/features/functions/ techniques which can classify and/or manipulate traffic certainly have security value.

*What I have grown tired of* is the continuing lack of understanding of the concept of DDoS attacks being attacks against capacity and/or state, and that instantiating a lot of state in front of a host, either with a load-balancer or with a firewall, renders said host *more* vulnerable to the DDoS, not less.

I continue to assert that load-balancers do not have a strong inherent security value, except in the negative sense when they are deployed without mitigatory tools/techniques such as stateless ACLs, S/RTBH, and/or DDoS mitigation systems. I will further assert that routing techniques such as S/RTBH anycast *do* have inherent security value, as they are great aids to availability without significant inherent weaknesses.

Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

        Culture eats strategy for breakfast.

           -- Ford Motor Company

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]