Re: [fw-wiz] Content Switch as security device?
From: Ben Nagy (ben@iagu.net)
Date: 01/30/03
- Next message: Martin Peikert: "Re: [fw-wiz] Acqusition of time"
- Previous message: Ben Nagy: "Re: [fw-wiz] Acqusition of time"
- In reply to: Ludolph, Michel: "[fw-wiz] Content Switch as security device?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ben Nagy" <ben@iagu.net> To: "Ludolph, Michel" <Michel.Ludolph@atosorigin.com>, <firewall-wizards@honor.icsalabs.com> Date: Thu Jan 30 09:40:02 2003
As long as the CSS thing is only between the outside world and a DMZ I don't
really see a problem.
I always believe that publically available webservers should be confined to
a DMZ, properly hardened and, basically, shouldn't need a firewall to
protect them. A proper webserver cares naught for syn floods and
fragmentation attacks. Given that you're now thinking about the availability
and performance of your webservers, rather than their security per se,
there's a reasonably good case for this architecture (although I don't know
anything at all about the goodness of the actual boxes in question).
Just remember that you should always assume that your public webservers
could be hacked at any second and to model your security accordingly,
thinking about what an attacker could do if they had full control of the WWW
box. In a perfect world there shouldn't be any IP traffic at all from the
web DMZ to the Trusted network, but if there is it should absolutely be
secured to a higher standard (firewalls, IDS blah blah).
This is not a specific evaluation of your solution for your network and your
webservers, but the general idea doesn't trip any of my danger alarms.
Perhaps I just have a lower opinion of the security delta a traditional
firewall provides to a webserver.
Cheers,
ben
----- Original Message -----
From: "Ludolph, Michel" <Michel.Ludolph@atosorigin.com>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Wednesday, January 29, 2003 9:18 PM
Subject: [fw-wiz] Content Switch as security device?
> This afternoon I had a discussion with a collegue. He told me about a
> proposed Corporate Internet connection. In stead of using a Firewall
between
> the DMZ and the external network, the idea was to use a Cisco Content
> Switch. This would result in the following architecture: Internet -->
> screening router --> Content Switch --> router --> web servers.
>
> This would mean that the Content Switch also acts as a sort of
> proxy-firewall, justified by the fact that only defined ports are
permitted.
>
> I do not feel very comfortable with this solution. What about syn-floods
and
> fragmentation attacks? Furhter, a Content Switch is not designed to act as
a
> security device (it may listen to ports you are not aware of).
>
> Has anyone come across such a solution, or have any thougths on this?
>
> Thanks,
>
> Michel Ludolph
> michel.ludolph@atosorigin.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Martin Peikert: "Re: [fw-wiz] Acqusition of time"
- Previous message: Ben Nagy: "Re: [fw-wiz] Acqusition of time"
- In reply to: Ludolph, Michel: "[fw-wiz] Content Switch as security device?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
