|
James Northcott wrote:
>
> I'd like to ask for your comments on setting up a rather involved LVS -
looks normal to me :-)
> I have the private subnet RIP's on the realservers so that I can ssh to
> a realserver and then from there ssh to the director for maintenance.
> Since the DIP is in the same private subnet, it should ONLY be
> accessible in this way.
make sure sshd only listens on the DIP, use tcpserve or xinetd on the director,
real-servers.
> I have the public IP's on the realservers because some of my web sites
> need to fetch live XML data from outside sources for formatting by the
> web server before being sent back to the client.
put filters so only the XML requests can go over these public IPs, have routes
to only the XML targets (if there is a limited number of them),
rather than a default route.
> 1. Security
>
> I think that as long as I close all incoming ports on the public IP's on
> the realservers and only allow the XML data feeds that I need, that this
> should be very secure - the director is not directly accessible, and
> neither are the realservers except on the locally firewalled public
> IP's. Am I right here?
you can handle everything you can think of and then next month someone
will find a hole that no-one has thought of before. Security
is a great career choice, your job will never be done.
> in fact, I think that it really
> doesn't have anything to do with the LVS. Is that the case?
yes
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
