|
Malcolm Turnbull wrote:
>
> Assuming that you have an LVS loadbalancer running on a linux box
> and this box is behing a firewall so that only ports 80 & 443 are
> allowed from clients.
>
> Do you really need to harden the loadbalancer firewall rules ?
Ratz is the expert on this.
There's the technical level. Can an intruder who gets beyond
the firewall do any damage after getting access to the director,
the realservers? If so do you care (maybe you do maybe you don't
- it will depend on what you have on those machines - if it's only
publically available readonly webpages, you're less concerned
than if you have customer business information on it).
Are there adjacent machines on the network that have more sensitive
data than yours that could be attacked from your compromised machines?
But security is more than a technical thing. How are your customers
going to react if the website goes down, gets replaced by an obscene
image, has credit card info stolen? Someone is going to have to go
talk to them and explain why the breakin was beyond anything that
you could be expected to handle, mollify them and make sure you keep
the account. You'll also have to explain to potential customers why
the last breakin wasn't something that they should view negatively
when choosing you.
I'd say the minimum for a production machine exposed to the internet
is a rule on each machine (director and realservers) that only allows
the packets needed for the LVS (by port, IP, proto) and drops the rest.
Every packet to and from a machine must be inspected by a filter rule.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
