Penetration Testing mailing list archives
Re: Question re: load balancers as a security device
From: "Matthew Leeds" <mleeds () theleeds net>
Date: Tue, 22 Jan 2008 11:56:14 -0800
The answer is, it depends. It depends on the network design and the technology used by the load balancer. For example, a round-robin DNS load balancer offers no security. Sure, one could argue that since you don't expose the host via a public IP address there is no risk. That's not the case. You might want to read: http://www.networkcomputing.com/1102/1102ws1.html or if you are a MS shop: http://www.microsoft.com/downloads/details.aspx?FamilyID=A101CA7D-6FCD-44BF-8BE1-47F1462DCB24&displaylang=en http://207.46.196.114/WindowsServer/en/Library/fa6ef832-1aa7-472f-b492-0dd3c60bd46d1033.mspx ---------- ---Matthew *********** REPLY SEPARATOR *********** On 1/22/2008 at 3:05 PM dan.tesch () comcast net wrote:
I'm new to a company that has a large number of sites parked on managed servers at a hosting facility - the servers, firewalls and load balancers are exclusive to our use but managed by the ISP. In reviewing our site design I have seen that the VPN between our LAN and the hosting facility permits all IP traffic in both directions - effectively making these public facing servers part of our LAN in my opinion. For obvious reasons I'm looking to change this. Nobody is lobbying against the change but a senior developer that was involved in the original design points out that because of the load balancers in front of the servers, the world at large is not able to touch the machines and thus the potential for compromise is limited. Could I get some comments from this community about how vulnerable or not this type of setup might be? I'm looking for specific info related to the load balancers not commentary about the corporate LAN in this situation - even if the combination of the firewalls and load balancers provide 99.9% protection I think it is a bad idea and would most likely not pass PCI scrutiny. Thanks ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Question re: load balancers as a security device dan . tesch (Jan 22)
- Re: Question re: load balancers as a security device Matthew Leeds (Jan 23)
- Re: Question re: load balancers as a security device Justin Ferguson (Jan 23)
- Re: Question re: load balancers as a security device kevin horvath (Jan 23)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device bugtraq (Jan 25)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 23)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 28)
- Re: Question re: load balancers as a security device Robert E. Lee (Jan 29)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Sanjay R (Jan 23)
- Re: Question re: load balancers as a security device David Howe (Jan 25)