Re: [load balancing] Security Issues with Load Balancing Infrastructure

From: tony bourke (
Date: Wed Feb 28 2001 - 16:58:35 EST

  • Next message: tony bourke: "RE: [load balancing] Security Issues with Load Balancing Infrastr ucture"

    > 1) I don't see much point in putting a firewall in front
    > of this type of configuration, since most NAT-based
    > load balancers can do packet filtering, and you usually
    > only want to open up a small number of ports (80, 443, 22?)
    > anyway. Does anyone have any success stories or warnings
    > about running in with configuration?

    I agree. With a load balancer you get a built in packet filtter when you
    use that kind of configuration, which is all a firewall really is. A
    firewall does 3 or more things:

    * Packet Filter
    * VPN
    * Intrusion Detection
    * Other options, depending on prduct (ok so I can't think of any, but I'm
    sure there are more)

    When talking about protecting your servers, you only need the first one.
    The other tasks, if needed, can be done with a firewall off to the side,
    not in direct path of the main traffic. Static routes can take care of
    that. Intrusion detection can be passive, off of a mirrored or span port.

    In fact, With ArrowPoints and Alteon, and F5's (probably more, but these
    I'm sure of), if you have route-path NAT-based SLB (two VLANs, two
    subnets, doing NAT to an RFC1918 address space) you don't even need to put
    in a packet filter. The inherent packet translation only does load
    balancing on the specified ports (80, 443, etc), and any attempts to go to
    other ports is blocked by default, no need for a packet filter. Any
    packet destine for a non-configured TCP/UDP port gets dropped. This may
    take careful configuration, but it's not anything difficult.

    > 2) In the figure mentioned above, the public and private
    > networks are VLAN'd on the same switches. Provided sufficient
    > access restrictions are in place on the switches, are there
    > security issues with the VLAN config? I rarely see VLAN config
    > issues mentioned in network security discussions.

    I've heard people argue that you need to use seperate boxes for this type
    of thing, but their arguments have mainly been based on ignorance and
    extreme paranoia in the ability for packets to sprout legs and run around
    and jump VLANs.

    In reality, there are no remote-exploits available for VLAN hacking that I
    am aware of, nor any hacks I've ever heard of involving VLANs. Using two
    VLANs on one switch (correctly configured) is just as safe as using two
    seperate switches. There are dozens of leading providers, ISPs, and web
    sites that do the VLAN seperation.


    -------------- -- ---- ---- --- - - - - - -- - - - - - -
    Tony Bourke

    This archive was generated by hypermail 2b30 : Wed Feb 28 2001 - 16:58:46 EST