Re: Question re: load balancers as a security device

[Timothy Shea <tim () tshea net>]

re: Load-balancers aren't security devices, period.

Bullocks.  All devices are security devices.  A load balancer is part  
of an overall architecture that make up part of the service you are  
trying to provide to your customers.   Do tell - explain to me the  
difference of forwarding a single port via a Cisco Content Switch and  
an ACL for that same port on a Pix firewall?  What value is that pix  
firewall really adding?  What magical inspection is it doing to the  
http or https data stream?  At least the load balancer can offload the  
SSL handshake from the servers.

I am not saying to exclude the firewall or other tools per the needs  
and requirements of the application - but my point is simple - all  
devices in the chain are part of a complete security architecture  
which is to provide secure and available (key word here!!) access to  
the application in question.  I have grown tired of the classification  
of devices as "security" or "non-security".

t.s

On Jan 22, 2008, at 8:32 PM, Roland Dobbins wrote:

> On Jan 22, 2008, at 11:05 PM, <dan.tesch () comcast net> wrote:
>
> > Could I get some comments from this community about how vulnerable  
> > or not this type of setup might be? I'm looking for specific info  
> > related to the load balancers not commentary about the corporate  
> > LAN in this situation - even if the combination of the firewalls  
> > and load balancers provide 99.9% protection I think it is a bad  
> > idea and would most likely not pass PCI scrutiny.
>
> Load-balancers aren't security devices, period.  They're load- 
> balancers - that's it.  Any protocol/ports you forward to the real  
> servers means that someone can potentially reach out and touch the  
> real servers to whom they happen to be load-balanced.
>
> The public-facing servers should not effective be behind the  
> firewall protecting your desktop LANs, as you indicate.  They should  
> be northbound of it, from a logical standpoint.
>
> Furthermore, I'd strongly suggest investing in some DDoS protection  
> for those servers along the lines of iACLs, S/RTBH, and possibly a  
> 'Clean Pipes'-type service from an ISP or your own implementation  
> using traffic scrubbers.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice
>
>         Culture eats strategy for breakfast.
>
>           -- Ford Motor Company
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------