Penetration Testing mailing list archives
Re: Question re: load balancers as a security device
From: Dotzero <dotzero () gmail com>
Date: Fri, 25 Jan 2008 11:33:28 -0500
Getting ready for the usual barrage of automated junk responses from when I post here....... vacation messages, Challenge/Response, not authorized to post to other lists because someone is forwarding messages, etc. On 22 Jan 2008 15:05:28 -0000, dan.tesch () comcast net <dan.tesch () comcast net> wrote:
I'm new to a company that has a large number of sites parked on managed servers at a hosting facility - the servers, firewalls and load balancers are exclusive to our use but managed by the ISP. In reviewing our site design I have seen that the VPN between our LAN and the hosting facility permits all IP traffic in both directions - effectively making these public facing servers part of our LAN in my opinion.
Idon't know that I woudl call them "public facing". I would consider them facing an external network with unknown security implications. Depends onhow the firewalls, switches and load balancers are configured. This is something to discuss with the ISP.
For obvious reasons I'm looking to change this. Nobody is lobbying against the change but a senior developer that was involved in the original design points out that because of the load balancers in front of the servers, the world at large is not able to touch the machines and thus the potential for compromise is limited.
I've worked with load balancers from various venders in large scale complex implementations. I have certs from 2 vendors and have a bit of knowledge in this area. If you are implementing something like Pound then YMMV. If you are talking about a commercial product then my comment is this: While most (pretty much all) well known load balancer products provide security features and can benefit security if properly configured, they should not be considered security devices in and of themselves. You can filter traffic using ACLs at the IP level and you can do some pretty complex stuff right up the track by inspecting the contents of packets. Some LBs can integrate with IDS/IPS and some allow you to integrate web application firewalls. In most situations that I have encountered the person responsible for an LB implementation has basic knowledge and not much broad experience. They know their particular implementation. In the case of managed services I've found that vendors try very hard to standardize the implementations they manage. This may provide a good basic configuration but may not take advantage of additional capabilities available from the vendor.
Could I get some comments from this community about how vulnerable or not this type of setup might be? I'm looking for specific info related to the load balancers not commentary about the corporate LAN in this situation - even if the combination of the firewalls and load balancers provide 99.9% protection I think it is a bad idea and would most likely not pass PCI scrutiny.
See above. It's hard to make detailed useful comments without an understanding of the architecture, traffic, configuration of LBs, etc. Also note that there can be a lagtime between a vulnerability being identified and the vendor releasing a patch. This is especially true for things like OpenSSL, SSH, etc. Even a couple week lag can be risky if external networks can connect to the device. Just my 2 cents ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Question re: load balancers as a security device, (continued)
- Re: Question re: load balancers as a security device Justin Ferguson (Jan 23)
- Re: Question re: load balancers as a security device kevin horvath (Jan 23)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device bugtraq (Jan 25)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 23)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 28)
- Re: Question re: load balancers as a security device Robert E. Lee (Jan 29)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Sanjay R (Jan 23)
- Re: Question re: load balancers as a security device David Howe (Jan 25)
- Re: Question re: load balancers as a security device Dotzero (Jan 25)
- Re: Question re: load balancers as a security device David Glosser (Jan 23)