Re: Load balancer in lieu of firewall...

["Holger Heimann" <hh () it-sec de>]

> We've been investigating load balancers for a new website that we're going
> to launch.  The site has to be reasonably secure, which is why we've
> allocated budget for a firewall as well as a load balancer.  The makers of
> the BigIP, F5 Labs, assure us that the packet filtering features of their
> load balancer are sufficient, and that we don't need a firewall.


I don't know BigIP, but for a public webserver you probably won't gain much
security by putting a packet filter in front. Usually packet-filters are
used to explizitly allow some host to access something or explicitly deny
the access for particular hosts. The first is not very practical for a
public Web-Site, the second used sometimes.
But they main problem is that packet filters don't verify the traffic for
illegal commands, syntax, overruns etc. and traffic is simply passed through
to the Web-Server (note that I do not speak from stateful-inspection
packet-filters!). So you would have won nothing, if your WWW-server was
insecure.

So I would say
1. you probably do not desperately need a packet-filter (however it
   would be nice to have one in spare)
2. you should consider a proxy or statefull inspection Firewall for HTTP
   traffic (consider your expected load!)


My two cent,
regards,
Holger/hh () it-sec de

---------------------------------------------------------------------------
Online NETBIOS Vulnerability Check: http://www.it-sec.de/vulchk.html
---------------------------------------------------------------------------
ibh - Ingenieurbuero Heimann                 Phone : +49-(0)731-93579-200
o Sicherheit in der Informationstechnik      Fax   : +49-(0)731-93579-111
o Datenschutz                                EMail : info () it-sec de
o Softwaretechnologie                        URL   : http://www.it-sec.de
Sedanstr. 10, D-89077 Ulm                    Postfach: 2908,  D-89019 Ulm
---------------------------------------------------------------------------