> 1) I don't see much point in putting a firewall in front
> of this type of configuration, since most NAT-based
> load balancers can do packet filtering, and you usually
> only want to open up a small number of ports (80, 443, 22?)
> anyway. Does anyone have any success stories or warnings
> about running in with configuration?
I agree. With a load balancer you get a built in packet filtter when you
use that kind of configuration, which is all a firewall really is. A
firewall does 3 or more things:
* Packet Filter
* Intrusion Detection
* Other options, depending on prduct (ok so I can't think of any, but I'm
sure there are more)
When talking about protecting your servers, you only need the first one.
The other tasks, if needed, can be done with a firewall off to the side,
not in direct path of the main traffic. Static routes can take care of
that. Intrusion detection can be passive, off of a mirrored or span port.
In fact, With ArrowPoints and Alteon, and F5's (probably more, but these
I'm sure of), if you have route-path NAT-based SLB (two VLANs, two
subnets, doing NAT to an RFC1918 address space) you don't even need to put
in a packet filter. The inherent packet translation only does load
balancing on the specified ports (80, 443, etc), and any attempts to go to
other ports is blocked by default, no need for a packet filter. Any
packet destine for a non-configured TCP/UDP port gets dropped. This may
take careful configuration, but it's not anything difficult.
> 2) In the figure mentioned above, the public and private
> networks are VLAN'd on the same switches. Provided sufficient
> access restrictions are in place on the switches, are there
> security issues with the VLAN config? I rarely see VLAN config
> issues mentioned in network security discussions.
I've heard people argue that you need to use seperate boxes for this type
of thing, but their arguments have mainly been based on ignorance and
extreme paranoia in the ability for packets to sprout legs and run around
and jump VLANs.
In reality, there are no remote-exploits available for VLAN hacking that I
am aware of, nor any hacks I've ever heard of involving VLANs. Using two
VLANs on one switch (correctly configured) is just as safe as using two
seperate switches. There are dozens of leading providers, ISPs, and web
sites that do the VLAN seperation.
-------------- -- ---- ---- --- - - - - - -- - - - - - -
Tony Bourke tonyIZZATvegan.net
This archive was generated by hypermail 2b30 : Wed Feb 28 2001 - 16:58:46 EST