Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question re: load balancers as a security device

From: "Robert E. Lee" <robert () outpost24 com>
Date: Tue, 29 Jan 2008 12:07:35 +0100

On Sat, 2008-01-26 at 22:07 +0800, Roland Dobbins wrote:

*What I have grown tired of* is the continuing lack of understanding  
of the concept of DDoS attacks being attacks against capacity and/or  
state, and that instantiating a lot of state in front of a host,  
either with a load-balancer or with a firewall, renders said host  
*more* vulnerable to the DDoS, not less.


I agree with you on this point. In my manual testing days, I have taken
down entire data-centers by manipulating the bottleneck/choke-point.

However, classifying devices as security or not security seems like a
wasted effort. Each device has a function; if you have a goal, you can
decide if the function brings you closer to, or further from that goal.

For you metric minded people out there, the new Risk Assessment Values
(RAV's) with the ISECOM's 3.x OSSTMM will really help you measure the
benefits you get by adding or removing a device from your environment.
You can use RAV's pre and post implementation to determine if the
device/function brings any "security" benefit.

Robert

-- 
Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead
http://www.outpost24.com
 
SE Phone: +46 455-61-2320
US Phone: +1 801-924-5902
email: robert () outpost24 com


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: