CSS Best Practices for Security

Unanswered Question
Apr 4th, 2007
User Badges:
  • Blue, 1500 points or more

We have CSS-11501s in our DMZs (separate ASA interface) doing load balancing for our public Web servers. There is a new server load balancing requirement on the internal network. Technically, I see no problems with using separate ports and VLANs on the existing appliances, but I am wondering if this would pass a network security audit?

Any documents or references to support this kind of configuration would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
diro Thu, 04/05/2007 - 04:59
User Badges:
  • Bronze, 100 points or more

Hi dave,

Personnaly i wouldn't take the risk, because the css does operate like a router. So if somebody can force the routing so that the css is the next hop then everybody can connect to the internal vlan because the css routes unknown traffic. You could stop this kind of abuse by using acls on the css, but again that's not really approved by cisco.

Hope this helped you,


dgahm Mon, 04/23/2007 - 11:20
User Badges:
  • Blue, 1500 points or more


I understand what you are saying, but the only people with access to change the default gateway on a server would be an admin, and the worst that would happen would be to break connectivity. The server would then bypass the firewall for an internal connection, but the internal host response would route normally resulting in the firewall sending a reset due to the connection not being in the state table.


Gilles Dufour Tue, 04/24/2007 - 02:12
User Badges:
  • Cisco Employee,


you should maybe post your question to the security forum

If you create an inside network and a DMZ protected by firewall there is a reason.

If you allow a device [css or router] to bypass the firewall, you create a higher risk of potential attack.

Maybe a TCP connection would not be possible, but what about attacks using icmp or udp ?



This Discussion