Re: [fw-wiz] Content Switch as security device?

From: Dave Mitchell (dmitchell@viawest.net)
Date: 01/29/03 

From: Dave Mitchell <dmitchell@viawest.net>
To: "Ludolph, Michel" <Michel.Ludolph@atosorigin.com>
Date: Wed Jan 29 16:05:04 2003

Michel,

I agree with your level of uncomfortability. A content switch is meant to balance L3->L4
traffic (yes, some others go to L7) not inspect and perform a policy on inbound/outbound
traffic. Depending on the type of switch, you might not even have an ASIC that can perform
under a DDOS or other type of attack. Content switches only balance traffic based on source
and dest IP/port, and uses a load balancing algorithm to point it at your particular farm
or server. It does not perform any other packet inspection to prevent mailicious traffic
like a SYN attack, replay, or any other you can think of.

Using a firewall will provide you stateful inspection of each packet to prevent anyone
from re-encapsulating other packets within HTTP or whatever and doing something malicious
to your web servers. Certain firewalls will provide you with rate shaping, threshold levels
for an attack, and other standard SYN protection, etc. With a real firewall, you can also
manage your farm via an IPSec VPN or another of your choice. Besides all of the features,
policy management, snmp, and syslog all help show you potential holes or attacks.

Having a firewall provides far too many advantages than attempting to protect yourself
with a content switch.

-dave

On Wed, Jan 29, 2003 at 09:18:10PM +0100, Ludolph, Michel wrote:
> This afternoon I had a discussion with a collegue. He told me about a
> proposed Corporate Internet connection. In stead of using a Firewall between
> the DMZ and the external network, the idea was to use a Cisco Content
> Switch. This would result in the following architecture: Internet -->
> screening router --> Content Switch --> router --> web servers.
>
> This would mean that the Content Switch also acts as a sort of
> proxy-firewall, justified by the fact that only defined ports are permitted.
>
> I do not feel very comfortable with this solution. What about syn-floods and
> fragmentation attacks? Furhter, a Content Switch is not designed to act as a
> security device (it may listen to ports you are not aware of).
>
> Has anyone come across such a solution, or have any thougths on this?
>
> Thanks,
>
> Michel Ludolph
> michel.ludolph@atosorigin.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Quantcast