Re: Question re: load balancers as a security device

[David Glosser <david_glosser () yahoo com>]

-Sounds like employees at the ISP have access to those servers, and by extension, could get into your network. 
-Many ISPs have "service" networks for backups and management - what if a server on the same backup segment has a virus 
and infects your machine and then jumps into your corporate address space? 

-Unless the load balancers are doing some sort of filtering, it seems that the machines are being touched -- The load 
balancers  basically deciding WHICH machine  will be accessed, and pass everything, such as through the injection 
attempts,  to the web server behind it.... 





----- Original Message ----
> From: "dan.tesch () comcast net" <dan.tesch () comcast net>
> To: pen-test () securityfocus com
> Sent: Tuesday, January 22, 2008 10:05:28 AM
> Subject: Question re: load balancers as a security device
>
> I'm new to a company that has a large number of sites parked on
> managed
 servers at a hosting facility - the servers, firewalls and
> load
 balancers are exclusive to our use but managed by the ISP.
> In reviewing our site design I have seen that the VPN between our
> LAN
 and the hosting facility permits all IP traffic in both directions
> -
 effectively making these public facing servers part of our LAN in
> my
 opinion.
> For obvious reasons I'm looking to change this.  Nobody is
> lobbying
 against the change but a senior developer that was involved in
> the
 original design points out that because of the load balancers in front of
> the
 servers, the world at large is not able to touch the machines and
> thus
 the potential for compromise is limited.
> Could I get some comments from this community about how vulnerable
> or
 not this type of setup might be? I'm looking for specific info
> related
 to the load balancers not commentary about the corporate LAN in
> this
 situation - even if the combination of the firewalls and load
> balancers
 provide 99.9% protection I think it is a bad idea and would most
> likely
 not pass PCI scrutiny.
> Thanks
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------