Re: Question re: load balancers as a security device

-Sounds like employees at the ISP have access to those servers, and by extension, could get into your network.
-Many ISPs have "service" networks for backups and management - what if a server on the same backup segment has a virus and infects your machine and then jumps into your corporate address space?

-Unless the load balancers are doing some sort of filtering, it seems that the machines are being touched -- The load balancers basically deciding WHICH machine will be accessed, and pass everything, such as through the injection attempts, to the web server behind it....





----- Original Message ----
From: "dan.tesch@xxxxxxxxxxx" <dan.tesch@xxxxxxxxxxx>
To: pen-test@xxxxxxxxxxxxxxxxx
Sent: Tuesday, January 22, 2008 10:05:28 AM
Subject: Question re: load balancers as a security device

I'm new to a company that has a large number of sites parked on
managed

servers at a hosting facility - the servers, firewalls and
load

balancers are exclusive to our use but managed by the ISP.

In reviewing our site design I have seen that the VPN between our
LAN

and the hosting facility permits all IP traffic in both directions
-

effectively making these public facing servers part of our LAN in
my

opinion.

For obvious reasons I'm looking to change this. Nobody is
lobbying

against the change but a senior developer that was involved in
the

original design points out that because of the load balancers in front of
the

servers, the world at large is not able to touch the machines and
thus

the potential for compromise is limited.

Could I get some comments from this community about how vulnerable
or

not this type of setup might be? I'm looking for specific info
related

to the load balancers not commentary about the corporate LAN in
this

situation - even if the combination of the firewalls and load
balancers

provide 99.9% protection I think it is a bad idea and would most
likely

not pass PCI scrutiny.

Thanks

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Question re: load balancers as a security device
    ... managed servers at a hosting facility - the servers, ... load balancers are exclusive to our use but managed by the ISP. ... There are exploits "in the wild" where a shell is created and the control connection for it is set up *outbound* to the attacker. ... There are also exploits "in the wild" where individual command shell commands can be run, and the results returned in the http reply. ...
    (Pen-Test)
  • Re: Question re: load balancers as a security device
    ... servers at a hosting facility - the servers, firewalls and load balancers ...
    (Pen-Test)
  • Re: CAS and Hub load balancing
    ... The original post didn't but my answer covers the DMZ situation. ... Please let me add that hardware load balancers are highly preferred over ... NLB, but I recognize the cost issue, especially in lower-volume shops. ... The CAS servers will be load balanced for OWA. ...
    (microsoft.public.exchange.design)
  • Re: Sendmail relaying for all sub-domains... can I stop this?
    ... relaying for your 130.89/16 network. ... ease of administration all 5 servers have the same configuration. ... Ideally, have 3 load balancers, each primary for one IP ... Peter Peters, senior netwerkbeheerder ...
    (comp.mail.sendmail)