Penetration Testing mailing list archives
Re: Question re: load balancers as a security device
From: David Howe <David.Howe () ansgroup co uk>
Date: Thu, 24 Jan 2008 09:44:06 +0000
dan.tesch () comcast net wrote:
I'm new to a company that has a large number of sites parked on managed servers at a hosting facility - the servers, firewalls and load balancers are exclusive to our use but managed by the ISP. In reviewing our site design I have seen that the VPN between our LAN and the hosting facility permits all IP traffic in both directions - effectively making these public facing servers part of our LAN in my opinion. For obvious reasons I'm looking to change this. Nobody is lobbying against the change but a senior developer that was involved in the original design points out that because of the load balancers in front of the servers, the world at large is not able to touch the machines and thus the potential for compromise is limited. Could I get some comments from this community about how vulnerable or not this type of setup might be? I'm looking for specific info related to the load balancers not commentary about the corporate LAN in this situation - even if the combination of the firewalls and load balancers provide 99.9% protection I think it is a bad idea and would most likely not pass PCI scrutiny.
There isn't an easy answer; depending on your *outbound* firewalling from the webservers, threat model and the exploit used, an attacker may still be able to get a working shell on the machine - at which point he is effectively on your network.
There are exploits "in the wild" where a shell is created and the control connection for it is set up *outbound* to the attacker (or more probably, to a relay controlled by the attacker). There are also exploits "in the wild" where individual command shell commands can be run, and the results returned in the http reply. Assuming your webserver (s) are vulnerable to such exploits, the load balancer would only be a minor impediment to the attacker (in that he would have to structure any sequence of commands so as to take into account they may not run sequentially on the same server; that could be as simple as retrying the commands until you *are* on the right server)
Another question could be if your hosts at the colo are vlanned away from the *other* hosts at the colo - if not, then an attacker could theoretically compromise or even buy another host at the same site, and attack your servers at his leisure, play games with ARP to intercept traffic/gain access to the VPN link, or generally ignore the existence of the load balancing. Even with vlanning, there may be a route to your boxes that doesn't go though the balancing solution - so reliance on it to block ports other than web is probably unwise.
David Howe Senior SysCare Engineer david.howe () ansgroup co uk Office number: 0161 227 1010 Fax: 0161 227 1020 ANS group plc Synergy House Manchester Science Park Manchester M15 6SY www.ansgroup.co.ukThe information contained in this communication from david.howe () ansgroup co uk is confidential and may be legally privileged. It is intended solely for use by pen-test () securityfocus com and others authorised to receive it. If you are not pen-test () securityfocus com you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
ANS group plc 2007 - Privacy Policy - Registered Office is Synergy House, Manchester Science Park, Manchester, M15 6SY. Reg No. 3176761. (Registered in England & Wales) ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Question re: load balancers as a security device, (continued)
- Re: Question re: load balancers as a security device Matthew Leeds (Jan 23)
- Re: Question re: load balancers as a security device Justin Ferguson (Jan 23)
- Re: Question re: load balancers as a security device kevin horvath (Jan 23)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device bugtraq (Jan 25)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 23)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 28)
- Re: Question re: load balancers as a security device Robert E. Lee (Jan 29)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Sanjay R (Jan 23)
- Re: Question re: load balancers as a security device David Howe (Jan 25)
- Re: Question re: load balancers as a security device Dotzero (Jan 25)
- Re: Question re: load balancers as a security device David Glosser (Jan 23)