Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question re: load balancers as a security device

From: Roland Dobbins <rdobbins () cisco com>
Date: Wed, 23 Jan 2008 10:32:25 +0800

On Jan 22, 2008, at 11:05 PM, <dan.tesch () comcast net> wrote:
Could I get some comments from this community about how vulnerable or not this type of setup might be? I'm looking for specific info related to the load balancers not commentary about the corporate LAN in this situation - even if the combination of the firewalls and load balancers provide 99.9% protection I think it is a bad idea and would most likely not pass PCI scrutiny.
Load-balancers aren't security devices, period. They're load- balancers - that's it. Any protocol/ports you forward to the real servers means that someone can potentially reach out and touch the real servers to whom they happen to be load-balanced.
The public-facing servers should not effective be behind the firewall protecting your desktop LANs, as you indicate. They should be northbound of it, from a logical standpoint.
Furthermore, I'd strongly suggest investing in some DDoS protection for those servers along the lines of iACLs, S/RTBH, and possibly a 'Clean Pipes'-type service from an ISP or your own implementation using traffic scrubbers. 

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

        Culture eats strategy for breakfast.

           -- Ford Motor Company




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: