This is my question also. Now, I'm not an expert on security in any way shape or form, I would classify myself as a novice at best.
I do understand defense in depth and multiple layers but I have the same question that Lawrence does. Unless your webserver sits completely naked outside your firewall (a situation I can't even begin to imagine) then I don't see a really big problem w/ putting the SSL accelerator in front of your load balancer. Can someone please explain so a simple person like myself can understand? > Hi, Paul. > > It's 6:30am and has already been a long day for me, so please forgive any > disjointed thoughts. :-} > > Anyway, I'm not very familiar w/ LVS-IP because I haven't used that, but the > problem w/ balancing SSL is when the encrypted transaction hits your load > balancer the balancer is unable to read any of your session information (it's > encrypted). So it just throws you at one of the web servers in question (round > robin usually). The web server decrypts the transaction and is able to do any > load balancing at that level before sending the transaction on to an application > server (if applicable). The web server then encrypts the return data before > sending it back out thru the balancer to the user. At no point does the balancer > see unencrypted session information. I'm not sure if / how LVS-IP might overcome > that problem, but I'm going to try putting some bandwidth into reading up on it > this week. > > I know this is true for Local Directors. Cisco (and others I'm sure) make > "smart" load balancers which basically handle the SSL first, then do the load > balancing, but functionally those are not much different than putting an SSL box > in front of your LD if you already own them. As far as an SSL transaction > between the user and backend, I'm not 100% sure I am reading the question right. > If your environment goes something like this: > Browser --> net --> firewall --> ssl --> balancer - -> webserver --> > appserver --> database > Then that should be just as secure as: > Browser --> net --> firewall --> balancer --> webserver / ssl --> appserver > --> database > > Basically, if your first firewall is compromised, then you're open and having > the transaction encrypted for one or two more levels is probably not going to > make a big difference. A good habit, of course, is to put a second firewall > between your web and app server tier or at least in front of your db. If your > database is not within your network and you need to call out to it, then put > another dedicated SSL box between your appserver and db tier (one on each end, > actually). And, of course, another firewall. :-) > > If your config is significantly different or if I misread your question, just > let me know. > > -Lawrence ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
