|
Alois Treindl wrote:
>
> Everyone seems to recommend VS-DR instead of VS-NAT.
>
> I have a few questions regarding this preference.
>
> a) security
> Isn't it true that a 2-NIC VS-NAT setup is intrinsically
> more secure than a VS-DR setup?
compared to a secured setup, both are insecure. I doubt if
it is worth any time to evaluate which is the most insecure :-)
> The NAT setup has no physical connection between the realservers
> and the outside network, every packet must pass through the director.
> The masquerading and ipvs-configuration of the director are the
> only critical point, how packets can be moved between the inside and
> outside
> networks.
>
> The DR-setup needs a physical connection from each realserver to the
> outside network, for the return packets.
> Any configuration error in any of the realservers contains a risk
> that uncontrolled packets can flow between the outside network and the
> inside network.
yes, but have you read
http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-12.html#ss12.5
the router doesn't need a route to the real-servers in VS-DR.
> We have multiple points of security failure (every real server)
> instead of a single
> point (director).
yes
> b) director as firewall
> If I have no separate firewall for the LVS cluster, but want to use
> the director
> for it, then VS-NAT is the only choice.
> VS_DR would need a firewall outside of both, the director and the
> return-cables
> from the realservers.
> Is that correct?
no-one has spent much time on making an LVS secure. It's on my
todo list, but for the moment people are putting them behind their
main firewall.
You can make the director the default gw for VS-DR real-servers
if you accept packets for the VIP on the director by transparent
proxy (2.2.x kernels only) or use Julian's martian modification
http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-12.html#ss12.4
If you need to make an LVS secure, then you're going to have to think about
what you're doing. I expect some work will be needed. Whether it is
faster/simpler to do it with VS-NAT or VS-DR I'm not sure.
> c) performance advantage of DR versus NAT
> If I need such a firewall outside of the LVS, which all incoming
> packets
> and return packets have to pass: the supposed performance advantage of
> DR
> goes away, it is just that the bottleneck which all packets have to
> pass moves
> from director to firewall box.
> There is no intrinsic reason why a separate firewall box should be
> able to do its
> job faster than the director itself, if comparable hardware (CPU
> speed, RAM size)
> is chosen.
> is that correct?
Yes, but you're only saying that if you have a bottleneck outside the LVS, then
you can't increase the output from your LVS beyond the bottleneck rate.
> If my assumptions are correct, what is the advantage of DR versus NAT
> in a production http-server which needs firewalling against the
> Internet?
The same LVS can get about twice the throughput with VS-DR compared
to VS-NAT. If you have a bottleneck outside the LVS, then you need
less powerful hardware in the LVS is you are using VS-DR.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
