A passive intrusion detection system sitting on a SPAN or mirrored port
can make up for the features that packet filtering on the load balancer
> Even with an Alteon doing the filtering, you don't have as much control over
> the traffic as you would with a true firewall, and the load balancer doesn't
> provide good reporting of discarded packets.
> Many folks are getting big into using intrusion detection systems. I
> believe that before you get into intrusion detection, you should have your
> firewall logs watched and analyzed regularly (find out who is fiddling with
> the lock outside your door). The load balancers won't provide much
> information to help you determine if you're being attacked or not (just that
> hundreds of packets are being discarded).
> If someone does a portscan against your firewall, the logs will show it
> immediately. If someone does a portscan against your load balanced switch,
> all you'll see is a thousand dropped packets with no other clues as to what
> was going on.
> -Tim Titus------------------------------
> Director, Internet Operations, NCS Learn
> -----Original Message-----
> From: David Waldo [mailto:waldoIZZATcos.com]
> Sent: Wednesday, February 28, 2001 10:01 AM
> To: 'lb-lIZZATvegan.net'
> Subject: [load balancing] Security Issues with Load Balancing
> Two questions about security. In both cases I'm talking
> about a route-path, NAT-based load balancing configuration
> similar to Figure 4 in Tony Bourke's article at:
> 1) I don't see much point in putting a firewall in front
> of this type of configuration, since most NAT-based
> load balancers can do packet filtering, and you usually
> only want to open up a small number of ports (80, 443, 22?)
> anyway. Does anyone have any success stories or warnings
> about running in with configuration?
> 2) In the figure mentioned above, the public and private
> networks are VLAN'd on the same switches. Provided sufficient
> access restrictions are in place on the switches, are there
> security issues with the VLAN config? I rarely see VLAN config
> issues mentioned in network security discussions.
> Dave Waldo
-------------- -- ---- ---- --- - - - - - -- - - - - - -
Tony Bourke tonyIZZATvegan.net
This archive was generated by hypermail 2b30 : Wed Feb 28 2001 - 17:00:43 EST