RE: Security of VS-NAT versus VS-DR ?

To:	"'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	RE: Security of VS-NAT versus VS-DR ?
From:	Peter Mueller <pmueller@xxxxxxxxxxxx>
Date:	Tue, 1 May 2001 12:35:18 -0700

> -----Original Message-----
> From: Alois Treindl [mailto:alois@xxxxxxxx]
> Sent: Monday, April 30, 2001 11:03 PM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Security of VS-NAT versus VS-DR ?
> 
> 
> Everyone seems to recommend VS-DR instead of VS-NAT.
> 
> I have a few questions regarding this preference.
> 
> a) security
> Isn't it true that a 2-NIC VS-NAT setup is intrinsically
> more secure than a VS-DR setup?
> 
> The NAT setup has no physical connection between the realservers
> and the outside network, every packet must pass through the director.
> The masquerading and ipvs-configuration of the director are the
> only critical point, how packets can be moved between the inside and
> outside
> networks.
> 
> The DR-setup needs a physical connection from each realserver to the
> outside network, for the return packets.
> Any configuration error in any of the realservers contains a risk
> that uncontrolled packets can flow between the outside network and the
> inside network.
> We have multiple points of security failure (every real server)
> instead of a single
> point (director).

Certainly it is true that packets must "pass through the director",
indicating that good security on that(those) box(es) leads to a better
topology/architecture from that perspective.  However, keep in mind that
your LVS box(es) then also indicate a single point of failure for your
entire network (think DOS).  Additionally, my own experiences with NAT leads
me to believe that more than anything else it breeds a false sense of
security.

You have to ask yourself, what am I actually securing?  Is it static html
that has very little chance of a security breach through the webserver?  Is
it an ecommerce site with credit card #'s being protected?  Choose
appropriately.. and don't take the path less traveled. :>

This is not even counting the vast performance hit that NAT breeds upon an
LVS setup instead of a DR type setup.  We're talking a huge difference here.
If performance and scalability is in your bag then I'd highly recommend
going with LVS-DR.

> 
> b) director as firewall
> If I have no separate firewall for the LVS cluster, but want to use
> the director
> for it, then VS-NAT is the only choice. 
> VS_DR would need a firewall outside of both, the director and the
> return-cables
> from the realservers.
> Is that correct?

We're talking about a firewall, right?  #1 rule of firewalls is.. it's a
firewall!!!! Don't do anything like mail or load-balancing if you want a
firewall.  Treat it like it's protecting your business and saving your ass,
because it is.

That having been said, I have heard that the main stipulation with LVS-DR
setup is that you can't have it be both the director and a real server.
This would seem to indicate that you could pop a few extra network cards
(dual or quad card would be good) into the box and have it be a firewall.

> 
> c) performance advantage of DR versus NAT
> If I need such a firewall outside of the LVS, which all incoming
> packets
> and return packets have to pass: the supposed performance advantage of
> DR
> goes away, it is just that the bottleneck which all packets have to
> pass moves
> from director to firewall box.
> There is no intrinsic reason why a separate firewall box should be
> able to do its
> job faster than the director itself, if comparable hardware (CPU
> speed, RAM size)
> is chosen.
> is that correct?

There's a huge market for firewalls.  I would be amazingly surprised if this
were actually the case, even in the < $5000 bracket.  There is lots of
specialized hardware that could make your firewall scream out there.

Back to "NAT versus DR":  with a NAT architecture, one of the main drawbacks
and reasons for it being so much of a performance bottleneck is the address
translation.  If you could setup DR architecture with a firewall guarding
everything with no NAT functionality (read : routable IPs), I definitely see
a better architecture there.

> 
> If my assumptions are correct, what is the advantage of DR versus NAT 
> in a production http-server which needs firewalling against the
> Internet?
> 

How many hits are we talking about?  If this is a busy site, then you should
very seriously consider going with a custom firewall solution (maybe IP
tables?  Ip chains isn't superb) and DR.

> Alois
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>

<Prev in Thread]	Current Thread	[Next in Thread>
Security of VS-NAT versus VS-DR ?, Alois Treindl Re: Security of VS-NAT versus VS-DR ?, Joseph Mack RE: Security of VS-NAT versus VS-DR ?, Peter Mueller <= Re: Security of VS-NAT versus VS-DR ?, Roberto Nibali RE: Security of VS-NAT versus VS-DR ?, Peter Mueller Re: Security of VS-NAT versus VS-DR ?, Roberto Nibali Re: Security of VS-NAT versus VS-DR ?, Jon Burford RE: Security of VS-NAT versus VS-DR ?, Peter Mueller Re: Security of VS-NAT versus VS-DR ?, Joseph Mack

Previous by Date:	Dynamically generated web pages [Was: success: LV-NAT working, Joseph Mack
Next by Date:	Netscape persistence [Was Re: success: LV-NAT working, Joseph Mack
Previous by Thread:	Re: Security of VS-NAT versus VS-DR ?, Joseph Mack
Next by Thread:	Re: Security of VS-NAT versus VS-DR ?, Roberto Nibali
Indexes:	[Date] [Thread] [Top] [All Lists]