04-04-2007 01:48 PM
We have CSS-11501s in our DMZs (separate ASA interface) doing load balancing for our public Web servers. There is a new server load balancing requirement on the internal network. Technically, I see no problems with using separate ports and VLANs on the existing appliances, but I am wondering if this would pass a network security audit?
Any documents or references to support this kind of configuration would be appreciated.
Dave
04-05-2007 04:59 AM
Hi dave,
Personnaly i wouldn't take the risk, because the css does operate like a router. So if somebody can force the routing so that the css is the next hop then everybody can connect to the internal vlan because the css routes unknown traffic. You could stop this kind of abuse by using acls on the css, but again that's not really approved by cisco.
Hope this helped you,
Dimitri
04-23-2007 11:20 AM
Dimitri,
I understand what you are saying, but the only people with access to change the default gateway on a server would be an admin, and the worst that would happen would be to break connectivity. The server would then bypass the firewall for an internal connection, but the internal host response would route normally resulting in the firewall sending a reset due to the connection not being in the state table.
Dave
04-24-2007 02:12 AM
Dave,
you should maybe post your question to the security forum
If you create an inside network and a DMZ protected by firewall there is a reason.
If you allow a device [css or router] to bypass the firewall, you create a higher risk of potential attack.
Maybe a TCP connection would not be possible, but what about attacks using icmp or udp ?
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide