RE: [nsp] BCP for LD Security

From: F. David Sinn (dsinn@dsinn.seanet.com)
Date: Thu Mar 08 2001 - 13:28:22 EST


As to question #2, you can't have a firewall directly behind the LD. You
would have to implement a firewall between the 6500's and your servers if
you intend to keep ASLB.

ASLB works by the 6500 learning about the balancing decision from the LD and
then doing the packet changes itself. Once the ASLB cache has been made,
the LD is no longer in the loop, and thus if you had a firewall directly
behind the LD it would not be in the loop either.

It would probably just be simpler to place your firewall ahead of the LD.

David
-----Original Message-----
From: Edward Desouza [mailto:edward_desouza@yahoo.com]
Sent: Thursday, March 08, 2001 9:41 AM
To: cisco-nsp@puck.nether.net
Subject: [nsp] BCP for LD Security

Hi,
 This question is addresses to all the security gurus out there:

1. I have 2 front end web servers
2. I am using a cisco ld 430 for load balancing
3. The Two Web Servers are conected to a 6509 switch in conjuction with the
LD offers ASLB ( accelerated server Load Balancing )
4. I am using a IDS blade on the 6509
5. The front end web servers are on private address space ( the LD is doing
a NAT functionality )

My question is as follows :

1. Since the LD is listening only on port 80 on a valid IP, do I need a
firewall in front of my LD ? Can the IDS blade on the 6509 prevent against
streaming attacks ?

2. If I dont need a firewall in front of the LD, can a firewall be placed
behind the LD ? From the CISCO docs on ASLB, the backend servers and the
Vlaid IPs have to be on two VLANS. If I introduce a firewall beind the LD
this requirement is violated.

I need to know what is a Best Common Practise when deploying a CISCO LD with
a firewall.

Rgds,

Edward



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:31 EDT