Re: [load balancing] Security Issues with Load Balancing Infrastructure

From: Daniel Hagerty (hagIZZATlinnaean.org)
Date: Wed Feb 28 2001 - 17:44:42 EST

  • Next message: tony bourke: "Re: [load balancing] Security Issues with Load Balancing Infrastructure"

    > In reality, there are no remote-exploits available for VLAN hacking that I
    > am aware of, nor any hacks I've ever heard of involving VLANs. Using two
    > VLANs on one switch (correctly configured) is just as safe as using two
    > seperate switches. There are dozens of leading providers, ISPs, and web
    > sites that do the VLAN seperation.

        Sorry, no. As recent as a year and a half ago cisco was shipping
    code for the catalyst that would allow an attacker to hop vlans. Send
    a packet with a vlan header on an untagged port, and the switch would
    happily do what you told it to do. This bug has been closed, but it
    was well known for quite some time.

        Even today, using vlans for security is assuming that your vendor
    & administrative staff doesn't make any mistakes. Would you be
    willing to say that never happens?

        This topic comes up on the firewall-wizards list again and again.

    Disclosure: I'm using vlans, but I'm aware that there are risks and
    am willing to accept them.

        Also, most firewalls worth their salt are doing signifigantly more
    than the what an lb needs to do NAT; they actually police the flow,
    keeping lots of state across multiple packets about tcp windows and
    such. Many more sophisticated TCP attacks (e.g. session hijacks)
    don't work across this sort of thing; first sign of trouble resets the
    flow. Not that you need to be too worried about that for you web
    server, but there are other places where it's more of a concern.



    This archive was generated by hypermail 2b30 : Wed Feb 28 2001 - 17:45:38 EST