RE: [load balancing] Security Issues with Load Balancing Infrastr ucture

From: tony bourke (tonyIZZATvegan.net)
Date: Wed Feb 28 2001 - 17:00:40 EST

Next message: Daniel Hagerty: "Re: [load balancing] Security Issues with Load Balancing Infrastructure"

Previous message: tony bourke: "Re: [load balancing] Security Issues with Load Balancing Infrastructure"
In reply to: Titus, Tim: "RE: [load balancing] Security Issues with Load Balancing Infrastr ucture"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A passive intrusion detection system sitting on a SPAN or mirrored port
can make up for the features that packet filtering on the load balancer
don't provide.

Tony

> Even with an Alteon doing the filtering, you don't have as much control over
> the traffic as you would with a true firewall, and the load balancer doesn't
> provide good reporting of discarded packets.
>
> Many folks are getting big into using intrusion detection systems. I
> believe that before you get into intrusion detection, you should have your
> firewall logs watched and analyzed regularly (find out who is fiddling with
> the lock outside your door). The load balancers won't provide much
> information to help you determine if you're being attacked or not (just that
> hundreds of packets are being discarded).
>
> If someone does a portscan against your firewall, the logs will show it
> immediately. If someone does a portscan against your load balanced switch,
> all you'll see is a thousand dropped packets with no other clues as to what
> was going on.
>
> -Tim Titus------------------------------
> Director, Internet Operations, NCS Learn
> -----<www.NCSlearn.com>-----------------
>
>
>
> -----Original Message-----
> From: David Waldo [mailto:waldoIZZATcos.com]
> Sent: Wednesday, February 28, 2001 10:01 AM
> To: 'lb-lIZZATvegan.net'
> Subject: [load balancing] Security Issues with Load Balancing
> Infrastructure
>
>
> Two questions about security. In both cases I'm talking
> about a route-path, NAT-based load balancing configuration
> similar to Figure 4 in Tony Bourke's article at:
>
> http://sysadmin.oreilly.com/news/bourke_1100.html
>
> 1) I don't see much point in putting a firewall in front
> of this type of configuration, since most NAT-based
> load balancers can do packet filtering, and you usually
> only want to open up a small number of ports (80, 443, 22?)
> anyway. Does anyone have any success stories or warnings
> about running in with configuration?
>
> 2) In the figure mentioned above, the public and private
> networks are VLAN'd on the same switches. Provided sufficient
> access restrictions are in place on the switches, are there
> security issues with the VLAN config? I rarely see VLAN config
> issues mentioned in network security discussions.
>
> Thanks,
>
> Dave Waldo
>

-------------- -- ---- ---- --- - - - - - -- - - - - - -
Tony Bourke tonyIZZATvegan.net

Next message: Daniel Hagerty: "Re: [load balancing] Security Issues with Load Balancing Infrastructure"
Previous message: tony bourke: "Re: [load balancing] Security Issues with Load Balancing Infrastructure"
In reply to: Titus, Tim: "RE: [load balancing] Security Issues with Load Balancing Infrastr ucture"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 28 2001 - 17:00:43 EST