Re: CSS Best Practices for Security

dgahm · ‎04-04-2007

We have CSS-11501s in our DMZs (separate ASA interface) doing load balancing for our public Web servers. There is a new server load balancing requirement on the internal network. Technically, I see no problems with using separate ports and VLANs on the existing appliances, but I am wondering if this would pass a network security audit?

Any documents or references to support this kind of configuration would be appreciated.

Dave

diro · ‎04-05-2007

Hi dave,

Personnaly i wouldn't take the risk, because the css does operate like a router. So if somebody can force the routing so that the css is the next hop then everybody can connect to the internal vlan because the css routes unknown traffic. You could stop this kind of abuse by using acls on the css, but again that's not really approved by cisco.

Hope this helped you,

Dimitri

dgahm · ‎04-23-2007

Dimitri,

I understand what you are saying, but the only people with access to change the default gateway on a server would be an admin, and the worst that would happen would be to break connectivity. The server would then bypass the firewall for an internal connection, but the internal host response would route normally resulting in the firewall sending a reset due to the connection not being in the state table.

Dave

Gilles Dufour · ‎04-24-2007

Dave,

you should maybe post your question to the security forum

If you create an inside network and a DMZ protected by firewall there is a reason.

If you allow a device [css or router] to bypass the firewall, you create a higher risk of potential attack.

Maybe a TCP connection would not be possible, but what about attacks using icmp or udp ?

Gilles.