In a load balanced environment, is it necessary to have all of the web servers in the DMZ? Or will just having the Load Balancer in the DMZ achieve the desired security? If it matters, the web server and application server are the same -- GF, Tomcat fronted by httpd on the same server, OAS, etc...
LB -> WEB/APPLICATION -> DB
Also, would the setup be different if it was
LB -> Web Server -> Application Server -> DB
Thanks, Bradford
Security is all about layers. Just relying on single DMZ technology (or any technology) for security is going to be problematic. No two networks are the same and so are there security requirements?
If you place your LB in the DMZ, then what ever is providing your DMZ will also have to bear this load. What is your DMZ doing? packet filtering, l7 inspection, IDS etc etc, or all of those?
What are you trying to protect? and what are you trying to protect it from? What are you traffic loads? If your maxing out a gigabit link, then you'll need lots of extra infrastructure to deal with that traffic. This infrastructure with have to be fault tolerant.
Why not harden you operating system, apply the correct host based firewall rules, and some basic filtering on your edge router.
Stateful firewalls have limits too, and it's another piece of infrastructure to load balance , monitor and maintain. (and potentially have security problems).
Security is a process. Just implementing a dmz won't really fix anything unless you actually know what your trying to protect and why.
You can keep adding layers, but your adding complexity, reducing complexity is sometime more secure, so it's a real trade off.
I've seen many networks with a plethora expensive network security devices and programs, and when you ask if they take regular offline database backups, they come up blank.
This answer probably posed more questions than answers, but it's an short question with a very long answer.
Any one who responds with 'just install a firewall' , probably shouldn't be answering it all!
My first response would be that the webserver should be on the DMZ.
The concept of DMZ is a zone where, if an attack is successful, it doesn't affect the rest of the organization. Ideally it shouldn't be possible to go from any machine on the DMZ to the internal/secure network.
From the LB/Web server/Application Server combo, the LB is probably the less prone to be successfully attacked. As such, I'd say that those machines should be in the DMZ.
Best regards,
João Miguel Neves
Load Balancer. the LTM will be less vulnerable since it basically only the VIP and port assigned to that VIP is open to the public not the LTM itself. Also it will reduc the amount of prots you have to open from DMZ to internal network if your web app or server has to auth users (LDAP) or any other SQL functions nd so on. In this case it only port 80 or 443 open from DMZ to internal network as well. now if it a single webserver and doesn't need internal access to any other you can put in DMZ but if you're internal and still need to access it you will have to open the web ports and or RDP ports to the internal network anyway so your better off with the Load Balancer than the server in the DMZ
