RE: [load balancing] Security Issues with Load Balancing Infrastr ucture

From: tony bourke (tonyIZZATvegan.net)
Date: Wed Feb 28 2001 - 17:00:40 EST

  • Next message: Daniel Hagerty: "Re: [load balancing] Security Issues with Load Balancing Infrastructure"

    A passive intrusion detection system sitting on a SPAN or mirrored port
    can make up for the features that packet filtering on the load balancer
    don't provide.

    Tony

    > Even with an Alteon doing the filtering, you don't have as much control over
    > the traffic as you would with a true firewall, and the load balancer doesn't
    > provide good reporting of discarded packets.
    >
    > Many folks are getting big into using intrusion detection systems. I
    > believe that before you get into intrusion detection, you should have your
    > firewall logs watched and analyzed regularly (find out who is fiddling with
    > the lock outside your door). The load balancers won't provide much
    > information to help you determine if you're being attacked or not (just that
    > hundreds of packets are being discarded).
    >
    > If someone does a portscan against your firewall, the logs will show it
    > immediately. If someone does a portscan against your load balanced switch,
    > all you'll see is a thousand dropped packets with no other clues as to what
    > was going on.
    >
    > -Tim Titus------------------------------
    > Director, Internet Operations, NCS Learn
    > -----<www.NCSlearn.com>-----------------
    >
    >
    >
    > -----Original Message-----
    > From: David Waldo [mailto:waldoIZZATcos.com]
    > Sent: Wednesday, February 28, 2001 10:01 AM
    > To: 'lb-lIZZATvegan.net'
    > Subject: [load balancing] Security Issues with Load Balancing
    > Infrastructure
    >
    >
    > Two questions about security. In both cases I'm talking
    > about a route-path, NAT-based load balancing configuration
    > similar to Figure 4 in Tony Bourke's article at:
    >
    > http://sysadmin.oreilly.com/news/bourke_1100.html
    >
    > 1) I don't see much point in putting a firewall in front
    > of this type of configuration, since most NAT-based
    > load balancers can do packet filtering, and you usually
    > only want to open up a small number of ports (80, 443, 22?)
    > anyway. Does anyone have any success stories or warnings
    > about running in with configuration?
    >
    > 2) In the figure mentioned above, the public and private
    > networks are VLAN'd on the same switches. Provided sufficient
    > access restrictions are in place on the switches, are there
    > security issues with the VLAN config? I rarely see VLAN config
    > issues mentioned in network security discussions.
    >
    > Thanks,
    >
    > Dave Waldo
    >

    -------------- -- ---- ---- --- - - - - - -- - - - - - -
    Tony Bourke tonyIZZATvegan.net



    This archive was generated by hypermail 2b30 : Wed Feb 28 2001 - 17:00:43 EST