Penetration Testing mailing list archives
Re: Question re: load balancers as a security device
From: David Glosser <david_glosser () yahoo com>
Date: Tue, 22 Jan 2008 12:31:44 -0800 (PST)
-Sounds like employees at the ISP have access to those servers, and by extension, could get into your network. -Many ISPs have "service" networks for backups and management - what if a server on the same backup segment has a virus and infects your machine and then jumps into your corporate address space? -Unless the load balancers are doing some sort of filtering, it seems that the machines are being touched -- The load balancers basically deciding WHICH machine will be accessed, and pass everything, such as through the injection attempts, to the web server behind it.... ----- Original Message ----
From: "dan.tesch () comcast net" <dan.tesch () comcast net> To: pen-test () securityfocus com Sent: Tuesday, January 22, 2008 10:05:28 AM Subject: Question re: load balancers as a security device I'm new to a company that has a large number of sites parked on managed
servers at a hosting facility - the servers, firewalls and
load
balancers are exclusive to our use but managed by the ISP.
In reviewing our site design I have seen that the VPN between our LAN
and the hosting facility permits all IP traffic in both directions
-
effectively making these public facing servers part of our LAN in
my
opinion.
For obvious reasons I'm looking to change this. Nobody is lobbying
against the change but a senior developer that was involved in
the
original design points out that because of the load balancers in front of
the
servers, the world at large is not able to touch the machines and
thus
the potential for compromise is limited.
Could I get some comments from this community about how vulnerable or
not this type of setup might be? I'm looking for specific info
related
to the load balancers not commentary about the corporate LAN in
this
situation - even if the combination of the firewalls and load
balancers
provide 99.9% protection I think it is a bad idea and would most
likely
not pass PCI scrutiny.
Thanks ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Question re: load balancers as a security device, (continued)
- Re: Question re: load balancers as a security device kevin horvath (Jan 23)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device bugtraq (Jan 25)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 23)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 28)
- Re: Question re: load balancers as a security device Robert E. Lee (Jan 29)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device kevin horvath (Jan 23)
- Re: Question re: load balancers as a security device Sanjay R (Jan 23)
- Re: Question re: load balancers as a security device David Howe (Jan 25)
- Re: Question re: load balancers as a security device Dotzero (Jan 25)
- Re: Question re: load balancers as a security device David Glosser (Jan 23)