Re: Load balancer in lieu of firewall...

["Chris Michael" <cm () 21stcentury net>]

At 09:51 AM 5/24/99 , John Nanas wrote:
> Pardon the simple question, but I've been bombarded by marketing material
> and now have little sense left in me to make a rational decision.
>
> We've been investigating load balancers for a new website that we're going
> to launch.  The site has to be reasonably secure, which is why we've
> allocated budget for a firewall as well as a load balancer.  The makers of
> the BigIP, F5 Labs, assure us that the packet filtering features of their
> load balancer are sufficient, and that we don't need a firewall.

If you're running a web server farms you probably want to use router
filtering to block traffic on all non-essential ports.  After that, you
could use whatever packet filtering is built into the load-balancing stuff.

BUT--and this is the big one--you are allowing through http to your web
servers.  Nothing you do can prevent them from being exposed to http-driven
attacks.  You want to make those machines as secure as possible and you
should consider running some kind of host-based intrusion detection on
them.  With web servers there's really very little you can do in front of
them to protect them (not that you shouldn't try), the web server itself
needs to be as locked down as a firewall.

Chris


--  <--listserv unconfuser
{
|  Christopher Michael
|  Network Associates
|  Channel Security Specialist
|  Chris_Michael () nai com
}