RE: [nsp] BCP for LD Security

From: F. David Sinn (dsinn@dsinn.seanet.com)
Date: Fri Mar 09 2001 - 14:35:22 EST


Not necessarily need, but it is the easiest place to put the firewall in
your configuration.

Also, why not have the data dropped before uses the resources of your LD or
6500?

David

-----Original Message-----
From: Edward S. Desouza [mailto:edward_desouza@yahoo.com]
Sent: Thursday, March 08, 2001 10:01 PM
To: F. David Sinn; cisco-nsp@puck.nether.net
Subject: RE: [nsp] BCP for LD Security

Do you think it is needed to have a firewall in front
of my LD ? I dont have any ports besides 80 open .
Also, I presume that the IDS blade on the 6500 will be
able to intercept streaming attacks ?

Rgds,

Edward
--- "F. David Sinn" <dsinn@dsinn.seanet.com> wrote:
> As to question #2, you can't have a firewall
> directly behind the LD. You
> would have to implement a firewall between the
> 6500's and your servers if
> you intend to keep ASLB.
>
> ASLB works by the 6500 learning about the balancing
> decision from the LD and
> then doing the packet changes itself. Once the ASLB
> cache has been made,
> the LD is no longer in the loop, and thus if you had
> a firewall directly
> behind the LD it would not be in the loop either.
>
> It would probably just be simpler to place your
> firewall ahead of the LD.
>
> David
> -----Original Message-----
> From: Edward Desouza
> [mailto:edward_desouza@yahoo.com]
> Sent: Thursday, March 08, 2001 9:41 AM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] BCP for LD Security
>
>
> Hi,
> This question is addresses to all the security
> gurus out there:
>
>
> 1. I have 2 front end web servers
> 2. I am using a cisco ld 430 for load balancing
> 3. The Two Web Servers are conected to a 6509 switch
> in conjuction with the
> LD offers ASLB ( accelerated server Load Balancing )
> 4. I am using a IDS blade on the 6509
> 5. The front end web servers are on private address
> space ( the LD is doing
> a NAT functionality )
>
> My question is as follows :
>
> 1. Since the LD is listening only on port 80 on a
> valid IP, do I need a
> firewall in front of my LD ? Can the IDS blade on
> the 6509 prevent against
> streaming attacks ?
>
> 2. If I dont need a firewall in front of the LD, can
> a firewall be placed
> behind the LD ? From the CISCO docs on ASLB, the
> backend servers and the
> Vlaid IPs have to be on two VLANS. If I introduce a
> firewall beind the LD
> this requirement is violated.
>
> I need to know what is a Best Common Practise when
> deploying a CISCO LD with
> a firewall.
>
>
> Rgds,
>
> Edward
>

=====
Edward S. Desouza
23/24 Manali 5,
Evershine Nagar,
Malad (W),
Bombay 400064.
Tel :9122-8886362

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:31 EDT