https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791769#M15313 <HTML><HEAD></HEAD><BODY><P>Dimitri,</P><P>I understand what you are saying, but the only people with access to change the default gateway on a server would be an admin, and the worst that would happen would be to break connectivity. The server would then bypass the firewall for an internal connection, but the internal host response would route normally resulting in the firewall sending a reset due to the connection not being in the state table.</P><P></P><P>Dave</P></BODY></HTML> Mon, 23 Apr 2007 18:20:35 GMT dgahm 2007-04-23T18:20:35Z https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791767#M15311 <P>We have CSS-11501s in our DMZs (separate ASA interface) doing load balancing for our public Web servers. There is a new server load balancing requirement on the internal network. Technically, I see no problems with using separate ports and VLANs on the existing appliances, but I am wondering if this would pass a network security audit?</P><P></P><P>Any documents or references to support this kind of configuration would be appreciated.</P><P></P><P>Dave</P> Wed, 04 Apr 2007 20:48:18 GMT https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791767#M15311 dgahm 2007-04-04T20:48:18Z https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791768#M15312 <HTML><HEAD></HEAD><BODY><P>Hi dave,</P><P></P><P>Personnaly i wouldn't take the risk, because the css does operate like a router. So if somebody can force the routing so that the css is the next hop then everybody can connect to the internal vlan because the css routes unknown traffic. You could stop this kind of abuse by using acls on the css, but again that's not really approved by cisco.</P><P></P><P>Hope this helped you,</P><P></P><P>Dimitri</P></BODY></HTML> Thu, 05 Apr 2007 11:59:00 GMT https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791768#M15312 diro 2007-04-05T11:59:00Z https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791769#M15313 <HTML><HEAD></HEAD><BODY><P>Dimitri,</P><P>I understand what you are saying, but the only people with access to change the default gateway on a server would be an admin, and the worst that would happen would be to break connectivity. The server would then bypass the firewall for an internal connection, but the internal host response would route normally resulting in the firewall sending a reset due to the connection not being in the state table.</P><P></P><P>Dave</P></BODY></HTML> Mon, 23 Apr 2007 18:20:35 GMT https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791769#M15313 dgahm 2007-04-23T18:20:35Z https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791770#M15314 <HTML><HEAD></HEAD><BODY><P>Dave,</P><P></P><P>you should maybe post your question to the security forum</P><P>If you create an inside network and a DMZ protected by firewall there is a reason.</P><P>If you allow a device [css or router] to bypass the firewall, you create a higher risk of potential attack.</P><P>Maybe a TCP connection would not be possible, but what about attacks using icmp or udp ?</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 24 Apr 2007 09:12:58 GMT https://community.cisco.com/t5/application-networking/css-best-practices-for-security/m-p/791770#M15314 Gilles Dufour 2007-04-24T09:12:58Z