Firewall Wizards mailing list archives
Re: Content Switch as security device?
From: Dave Mitchell <dmitchell () viawest net>
Date: Wed, 29 Jan 2003 14:22:54 -0700
Michel, I agree with your level of uncomfortability. A content switch is meant to balance L3->L4 traffic (yes, some others go to L7) not inspect and perform a policy on inbound/outbound traffic. Depending on the type of switch, you might not even have an ASIC that can perform under a DDOS or other type of attack. Content switches only balance traffic based on source and dest IP/port, and uses a load balancing algorithm to point it at your particular farm or server. It does not perform any other packet inspection to prevent mailicious traffic like a SYN attack, replay, or any other you can think of. Using a firewall will provide you stateful inspection of each packet to prevent anyone from re-encapsulating other packets within HTTP or whatever and doing something malicious to your web servers. Certain firewalls will provide you with rate shaping, threshold levels for an attack, and other standard SYN protection, etc. With a real firewall, you can also manage your farm via an IPSec VPN or another of your choice. Besides all of the features, policy management, snmp, and syslog all help show you potential holes or attacks. Having a firewall provides far too many advantages than attempting to protect yourself with a content switch. -dave On Wed, Jan 29, 2003 at 09:18:10PM +0100, Ludolph, Michel wrote:
This afternoon I had a discussion with a collegue. He told me about a proposed Corporate Internet connection. In stead of using a Firewall between the DMZ and the external network, the idea was to use a Cisco Content Switch. This would result in the following architecture: Internet --> screening router --> Content Switch --> router --> web servers. This would mean that the Content Switch also acts as a sort of proxy-firewall, justified by the fact that only defined ports are permitted. I do not feel very comfortable with this solution. What about syn-floods and fragmentation attacks? Furhter, a Content Switch is not designed to act as a security device (it may listen to ports you are not aware of). Has anyone come across such a solution, or have any thougths on this? Thanks, Michel Ludolph michel.ludolph () atosorigin com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Content Switch as security device? Ludolph, Michel (Jan 29)
- Re: Content Switch as security device? Dave Mitchell (Jan 29)
- Re: Content Switch as security device? Gary Flynn (Jan 30)
- Re: Content Switch as security device? Duncan Sharp (Jan 29)
- Re: Content Switch as security device? Ben Nagy (Jan 30)
- Re: Content Switch as security device? Dave Mitchell (Jan 29)