Firewall Wizards mailing list archives
Re: Content Switch as security device?
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 30 Jan 2003 09:40:22 +0100
As long as the CSS thing is only between the outside world and a DMZ I don't really see a problem. I always believe that publically available webservers should be confined to a DMZ, properly hardened and, basically, shouldn't need a firewall to protect them. A proper webserver cares naught for syn floods and fragmentation attacks. Given that you're now thinking about the availability and performance of your webservers, rather than their security per se, there's a reasonably good case for this architecture (although I don't know anything at all about the goodness of the actual boxes in question). Just remember that you should always assume that your public webservers could be hacked at any second and to model your security accordingly, thinking about what an attacker could do if they had full control of the WWW box. In a perfect world there shouldn't be any IP traffic at all from the web DMZ to the Trusted network, but if there is it should absolutely be secured to a higher standard (firewalls, IDS blah blah). This is not a specific evaluation of your solution for your network and your webservers, but the general idea doesn't trip any of my danger alarms. Perhaps I just have a lower opinion of the security delta a traditional firewall provides to a webserver. Cheers, ben ----- Original Message ----- From: "Ludolph, Michel" <Michel.Ludolph () atosorigin com> To: <firewall-wizards () honor icsalabs com> Sent: Wednesday, January 29, 2003 9:18 PM Subject: [fw-wiz] Content Switch as security device?
This afternoon I had a discussion with a collegue. He told me about a proposed Corporate Internet connection. In stead of using a Firewall
between
the DMZ and the external network, the idea was to use a Cisco Content Switch. This would result in the following architecture: Internet --> screening router --> Content Switch --> router --> web servers. This would mean that the Content Switch also acts as a sort of proxy-firewall, justified by the fact that only defined ports are
permitted.
I do not feel very comfortable with this solution. What about syn-floods
and
fragmentation attacks? Furhter, a Content Switch is not designed to act as
a
security device (it may listen to ports you are not aware of). Has anyone come across such a solution, or have any thougths on this? Thanks, Michel Ludolph michel.ludolph () atosorigin com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Content Switch as security device? Ludolph, Michel (Jan 29)
- Re: Content Switch as security device? Dave Mitchell (Jan 29)
- Re: Content Switch as security device? Gary Flynn (Jan 30)
- Re: Content Switch as security device? Duncan Sharp (Jan 29)
- Re: Content Switch as security device? Ben Nagy (Jan 30)
- Re: Content Switch as security device? Dave Mitchell (Jan 29)