Firewall Wizards mailing list archives

Re: Protecting publicly reacheable servers (e.g. HTTP)?

From: Predrag Zivic <pzivic () yahoo com>
Date: Sat, 24 Nov 2001 12:04:20 -0800 (PST)

Hi Patrick,
Sometimes the load balancing, HA firewalls and global
balancing is a must. 
I have at least two examples of internet retailers
that used global load balancing. This saved their
bacon when one of the globaly balanced sites was hit
by the DOS attack. In one case, the DB upgrade went
bad and all the trading went to only one site. So,
there was no service interruption.
BigIP, Alteon, Radware do load balancing, but should
not be considered security devices (i.e. are not
firewalls). Yes they have some security features, but
those can easily missguide you, as those can easily
abused.
Anyway If your business is not internet based and
revenue is not significant (calculate the risk), maybe
you do not need all the "fancy" stuff. However, my
experience is that it helped...

pez

--- "Patrick M. Hausen" <hausen () punkt de> wrote:

Dear fellow wizards,

Yesterday we got into a small internal arguement
about
wether protecting publicly reachable servers with
currently available firewall products makes any
sense
or not.

A large corporation asked for an offer for "housing"
of
a web and database server including hardware and
software
for the server itself and "firewall protection".
The server is supposed to offer content to the
public via
HTTP.

My reasoning has always been that - given the state
of
firewall products today - a static packet filter
that
blocks all but port 80 would be the most appropriate
solution to offer some sort of protection to the
server
machine.

Since all products I know of - even our beloved
Gauntlet
application level proxy - don't filter HTTP requests
wrt extremly long URLs or other "malformed" stuff,
that
intends to cause a buffer overflow in the web
application,
I don't see any improvement by using a "firewall
product"
in place of the packet filter. Well, DoS attacks
targeting the
IP stack may be guarded against, but then one would
try to
DoS the firewall with the same result - application
out
of service.

I hope most of you tend to agree with the above ;-)

Anyway, all competitors offered the customer
elaborate and
expensive setups consisting of at least two
redundant firewall
boxes, two switches, and those nice looking drawings
with
a lot of crossing lines that give managers the warm
fuzzy
impression of "redundancy" and "fail safety".
Probably most of them are offering Nokia or PIX, but
we weren't
given that much detail. ;-)


So  basically, I have two questions to you all:

1. Do you aggree with me wrt to the firewall vs.
packet filter topic?
   What's the intention of all these companies
offering more complicated
   setups? Besides making money at the job, of
course. I don't imply
   they are consciously trying to sell a big
unnecessary something.
   They rather do think they sell something "good",
IMHO.
   So, what's the point?

2. In the last couple of years a new type of device
coined "layer 4 switch"
   appeared and these things seem to have reached a
certain level of
   maturity and market penetration. I'm talking
about load balancing
   devices like e.g. Big IP.

   Since these things actually look inside the HTTP
requests to provide
   (at least they claim to provide) session and
cookie persistence and
   similar stuff when distributing the requests to a
farm of servers
   - what do you think these boxes add to the
security of the web
   servers they "load balance"? Some claim to
protect against certain
   types of DoS attacks, too.


Thanks for your comments,

Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen -
Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com

http://list.nfr.com/mailman/listinfo/firewall-wizards


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Protecting publicly reacheable servers (e.g. HTTP)? Patrick M. Hausen (Nov 23)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 25)
  - Re: Protecting publicly reacheable servers (e.g. HTTP)? Emmanuel Adeline (Nov 25)
  - Re: Protecting publicly reacheable servers (e.g. HTTP)? Marcus J. Ranum (Nov 25)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Adam Shostack (Nov 26)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephen P. Berry (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Predrag Zivic (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Frederick M Avolio (Nov 25)
- RE: Protecting publicly reacheable servers (e.g. HTTP)? Jason Lewis (Nov 27)
- <Possible follow-ups>
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Yehavi Bourvine +972-2-6585684 (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephane Nasdrovisky (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? TDyson (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 26)