Re: Load balancer in lieu of firewall...

[The Unicorn <unicorn () blackhats org>]

Hi John,

On Mon, May 24, 1999 at 10:51:34AM -0400, John Nanas wrote:
> Greets to all-
>
> Pardon the simple question, but I've been bombarded by marketing material
> and now have little sense left in me to make a rational decision.
>
> We've been investigating load balancers for a new website that we're going
> to launch.  The site has to be reasonably secure, which is why we've
> allocated budget for a firewall as well as a load balancer.  The makers of
> the BigIP, F5 Labs, assure us that the packet filtering features of their
> load balancer are sufficient, and that we don't need a firewall.
>
> I need to make a case of this, in simple terms, to my superiors.  Granted
> that the device does packet filtering, it offers a good deal of security.
> It does not have a telnet interface, and all configuration takes place using
> SSL.
>
> Does anyone have a suggestion as to why this wouldn't work?

Depends on the security of your webserver (and other servers you want to
provide to the outside world). Packet filters just determine if a packet
may enter or  not. After entering I  (oops, I mean the  "evil hacker" of
course ;-) talk directly to your  server. If there is a vulnerability in
that  complex piece  of software  no packet  filter is  going to  secure
you, but a application proxy firewall might...

> Thanks,
> John Nanas
---end quoted text---

Ciao,
Unicorn.
-- 
======= _ __,;;;/ TimeWaster ================================================
     ,;( )_, )~\| A Truly Wise Man Never Plays   PGP: 64 07 5D 4C 3F 81 22 73
    ;; //  `--;     Leapfrog With A Unicorn...        52 9D 87 08 51 AA 35 F0
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======