Firewall Wizards mailing list archives

Re: Content Switch as security device?

From: "Ben Nagy" <ben () iagu net>
Date: Thu, 30 Jan 2003 09:40:22 +0100

As long as the CSS thing is only between the outside world and a DMZ I don't
really see a problem.

I always believe that publically available webservers should be confined to
a DMZ, properly hardened and, basically, shouldn't need a firewall to
protect them. A proper webserver cares naught for syn floods and
fragmentation attacks. Given that you're now thinking about the availability
and performance of your webservers, rather than their security per se,
there's a reasonably good case for this architecture (although I don't know
anything at all about the goodness of the actual boxes in question).

Just remember that you should always assume that your public webservers
could be hacked at any second and to model your security accordingly,
thinking about what an attacker could do if they had full control of the WWW
box. In a perfect world there shouldn't be any IP traffic at all from the
web DMZ to the Trusted network, but if there is it should absolutely be
secured to a higher standard (firewalls, IDS blah blah).

This is not a specific evaluation of your solution for your network and your
webservers, but the general idea doesn't trip any of my danger alarms.
Perhaps I just have a lower opinion of the security delta a traditional
firewall provides to a webserver.

Cheers,

ben

----- Original Message -----
From: "Ludolph, Michel" <Michel.Ludolph () atosorigin com>
To: <firewall-wizards () honor icsalabs com>
Sent: Wednesday, January 29, 2003 9:18 PM
Subject: [fw-wiz] Content Switch as security device?

This afternoon I had a discussion with a collegue. He told me about a
proposed Corporate Internet connection. In stead of using a Firewall

between

the DMZ and the external network, the idea was to use a Cisco Content
Switch. This would result in the following architecture: Internet -->
screening router --> Content Switch --> router --> web servers.

This would mean that the Content Switch also acts as a sort of
proxy-firewall, justified by the fact that only defined ports are

permitted.


I do not feel very comfortable with this solution. What about syn-floods

and

fragmentation attacks? Furhter, a Content Switch is not designed to act as

security device (it may listen to ports you are not aware of).

Has anyone come across such a solution, or have any thougths on this?

Thanks,

Michel Ludolph
michel.ludolph () atosorigin com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Content Switch as security device? Ludolph, Michel (Jan 29)
- Re: Content Switch as security device? Dave Mitchell (Jan 29)
  - Re: Content Switch as security device? Gary Flynn (Jan 30)
- Re: Content Switch as security device? Duncan Sharp (Jan 29)
- Re: Content Switch as security device? Ben Nagy (Jan 30)