|
> Certainly it is true that packets must "pass through the director",
Not all packets -> is important for the statefull packetfiltering.
> indicating that good security on that(those) box(es) leads to a better
> topology/architecture from that perspective. However, keep in mind that
> your LVS box(es) then also indicate a single point of failure for your
> entire network (think DOS). Additionally, my own experiences with NAT leads
> me to believe that more than anything else it breeds a false sense of
> security.
Mhh, I couln't think of it, why?
> You have to ask yourself, what am I actually securing? Is it static html
> that has very little chance of a security breach through the webserver? Is
> it an ecommerce site with credit card #'s being protected? Choose
> appropriately.. and don't take the path less traveled. :>
IMO, it doesn't matter, if you're running an e-gov site or you mom's homepage.
You have to secure it anyway, because the webserver is not the only machine
on a net. A breach of the webserver mostly leads to a breach of the other
systems too. You don't want that.
> This is not even counting the vast performance hit that NAT breeds upon an
> LVS setup instead of a DR type setup. We're talking a huge difference here.
> If performance and scalability is in your bag then I'd highly recommend
> going with LVS-DR.
How true!
> We're talking about a firewall, right? #1 rule of firewalls is.. it's a
> firewall!!!!
:) rule #1 of fightclub: we do not talk about fightclub!
Sorry pal, what should this statement tell him? Most of the time people
say firewall and mean packetfilter. I rather speak of firewall components,
such as proxy firewall, packetfilter and IDS. A firewall is everything and
nothing.
> Don't do anything like mail or load-balancing if you want a
> firewall.
Why??? If I take a raptor smtp proxy, I have a pretty much secured email
for example. Why does load-balancing and firewalling not belong together?
> Treat it like it's protecting your business and saving your ass,
> because it is.
If firewalls were to protect my ass, I'd been shot in five minutes by
myself!
> That having been said, I have heard that the main stipulation with LVS-DR
> setup is that you can't have it be both the director and a real server.
> This would seem to indicate that you could pop a few extra network cards
> (dual or quad card would be good) into the box and have it be a firewall.
Or you do a proper network design and safe the troubles by separating the
packetfilter from the LVS box. Just my 2 cents ...
> There's a huge market for firewalls. I would be amazingly surprised if this
> were actually the case, even in the < $5000 bracket. There is lots of
> specialized hardware that could make your firewall scream out there.
All crap, I've been doing firewall penetration tests since 4 years. From the
newest iptables child over Cisco and Checkpoint to full blown Raptor firewall.
I tell you something: The commercial firewalls just suck for what they should
be worth their money. You can crash every checkpoint by adding multiple SNAT
rules with ipmasqadm on the same box, you can crash every Raptor in 20 minutes
with enough SYN-requests if you set up more then 1 external interface definition
and send the packets with SIP == EXT_IF_1. The backlog queue of Solaris fills
up and doesn't get removed because raptor thinks that the packet got delivered
locally. After the memory is exhausted ... BOOM!! Full freeze, a STOP-A && sync
after the 4th time crashed my disk completely. Welcome to the world of
firewalls!
> Back to "NAT versus DR": with a NAT architecture, one of the main drawbacks
> and reasons for it being so much of a performance bottleneck is the address
> translation. If you could setup DR architecture with a firewall guarding
> everything with no NAT functionality (read : routable IPs), I definitely see
> a better architecture there.
I agree comopletely :)
> How many hits are we talking about? If this is a busy site, then you should
> very seriously consider going with a custom firewall solution (maybe IP
> tables? Ip chains isn't superb) and DR.
What consideration is this? Security doesn't depend on the amount of hits or
I misread your statement here. "maybe IPtables? Ip chains isn't superb"
Have you actually had a look at the code or why do you think it isn't superb
for filtering traffic to a webserver cluster with LVS_DR running?
Best regards,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
