Re: Question re: load balancers as a security device

From: Dotzero (dotzero@gmail.com)
Date: Fri Jan 25 2008 - 11:33:28 EST


Getting ready for the usual barrage of automated junk responses from
when I post here....... vacation messages, Challenge/Response, not
authorized to post to other lists because someone is forwarding
messages, etc.

On 22 Jan 2008 15:05:28 -0000, dan.tesch@comcast.net
<dan.tesch@comcast.net> wrote:
> I'm new to a company that has a large number of sites parked on managed servers at a hosting facility - the servers, firewalls and load balancers are exclusive to our use but managed by the ISP.
>
>
> In reviewing our site design I have seen that the VPN between our LAN and the hosting facility permits all IP traffic in both directions - effectively making these public facing servers part of our LAN in my opinion.
>

Idon't know that I woudl call them "public facing". I would consider
them facing an external network with unknown security implications.
Depends onhow the firewalls, switches and load balancers are
configured. This is something to discuss with the ISP.

>
> For obvious reasons I'm looking to change this. Nobody is lobbying against the change but a senior developer that was involved in the original design points out that because of the load balancers in front of the servers, the world at large is not able to touch the machines and thus the potential for compromise is limited.
>
>

I've worked with load balancers from various venders in large scale
complex implementations. I have certs from 2 vendors and have a bit of
knowledge in this area. If you are implementing something like Pound
then YMMV. If you are talking about a commercial product then my
comment is this:

While most (pretty much all) well known load balancer products provide
security features and can benefit security if properly configured,
they should not be considered security devices in and of themselves.

You can filter traffic using ACLs at the IP level and you can do some
pretty complex stuff right up the track by inspecting the contents of
packets. Some LBs can integrate with IDS/IPS and some allow you to
integrate web application firewalls.

In most situations that I have encountered the person responsible for
an LB implementation has basic knowledge and not much broad
experience. They know their particular implementation.

In the case of managed services I've found that vendors try very hard
to standardize the implementations they manage. This may provide a
good basic configuration but may not take advantage of additional
capabilities available from the vendor.

> Could I get some comments from this community about how vulnerable or not this type of setup might be? I'm looking for specific info related to the load balancers not commentary about the corporate LAN in this situation - even if the combination of the firewalls and load balancers provide 99.9% protection I think it is a bad idea and would most likely not pass PCI scrutiny.
>
>

See above. It's hard to make detailed useful comments without an
understanding of the architecture, traffic, configuration of LBs, etc.
Also note that there can be a lagtime between a vulnerability being
identified and the vendor releasing a patch. This is especially true
for things like OpenSSL, SSH, etc. Even a couple week lag can be risky
if external networks can connect to the device.

Just my 2 cents

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT