Firewall Wizards mailing list archives
Re: Load balancer in lieu of firewall...
From: "Holger Heimann" <hh () it-sec de>
Date: Sat, 29 May 1999 21:20:52 +0200
We've been investigating load balancers for a new website that we're going to launch. The site has to be reasonably secure, which is why we've allocated budget for a firewall as well as a load balancer. The makers of the BigIP, F5 Labs, assure us that the packet filtering features of their load balancer are sufficient, and that we don't need a firewall.
I don't know BigIP, but for a public webserver you probably won't gain much security by putting a packet filter in front. Usually packet-filters are used to explizitly allow some host to access something or explicitly deny the access for particular hosts. The first is not very practical for a public Web-Site, the second used sometimes. But they main problem is that packet filters don't verify the traffic for illegal commands, syntax, overruns etc. and traffic is simply passed through to the Web-Server (note that I do not speak from stateful-inspection packet-filters!). So you would have won nothing, if your WWW-server was insecure. So I would say 1. you probably do not desperately need a packet-filter (however it would be nice to have one in spare) 2. you should consider a proxy or statefull inspection Firewall for HTTP traffic (consider your expected load!) My two cent, regards, Holger/hh () it-sec de --------------------------------------------------------------------------- Online NETBIOS Vulnerability Check: http://www.it-sec.de/vulchk.html --------------------------------------------------------------------------- ibh - Ingenieurbuero Heimann Phone : +49-(0)731-93579-200 o Sicherheit in der Informationstechnik Fax : +49-(0)731-93579-111 o Datenschutz EMail : info () it-sec de o Softwaretechnologie URL : http://www.it-sec.de Sedanstr. 10, D-89077 Ulm Postfach: 2908, D-89019 Ulm ---------------------------------------------------------------------------
Current thread:
- Load balancer in lieu of firewall... John Nanas (May 28)
- Re: Load balancer in lieu of firewall... The Unicorn (May 30)
- RE: Load balancer in lieu of firewall... Scott Brown (May 30)
- RE: Load balancer in lieu of firewall... Thomas Crowe (May 30)
- <Possible follow-ups>
- Re: Load balancer in lieu of firewall... Chris Michael (May 30)
- Re: Load balancer in lieu of firewall... Holger Heimann (May 30)