Security on the Cisco CSS

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2005 11:32 AM
I have a Cisco CSS 11501s attached to a Cisco 6000. I am using the CSS in an on arm design, which is basically a router on a stick. The Cisco 6000 only provides layer 2 switching. It utilizes 1 Ethernet interface on a single vlan.
I configure 3 VIPs for client connection.
- VIP 1 for SSL
- VIP 2 is for the clear text traffic from the
VIP1/proxy list.
- VIP 3 is for redirecting clear text traffic from
the client.
- All VIPs use the same address, but differing
ports.
I have a source group for all outbound traffic to the server farm. I tried to block traffic to the clear text interface, but I blocked all traffic. Is there an issue with one security of VIPs in a one-arm design?
Any design ideas?
Thank you
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2005 09:44 AM
Hi,
Are you blocking traffic using ACLs on the CSS, or ACL's on another device ?
ACL's on the CSS allow source/dest/port..etc so you should be able to be very specific about your blocking. The trick with ACL's on the CSS is that there is an implicit deny on all vlans when they are enabled, so you will need to make sure you have the necessary permits along with the denys
Regards
Pete Knoops
Cisco Systems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2005 05:08 PM
Hi,
If I understand correctly, you want to block the traffic destined to the VIP which is actually meant for the back-end traffic with the server once it is off the proxy-list. I understnad you use the VIP2 for this purpose as per your question and is same as the client side IP range.
Here is the solution just use a config what is known as "full-proxy" configuration by Cisco on the CSS. To do this you would need two different IP ranges. One would be for your client side (the one resolved by dns) and the other could be a different IP range preferably the non-routable private ip rnage like 192.168.x.x for the back-end server segment. You will now pick-up a VIP from server segment and assign it in the proxy-list with the 'cipher' specs.
In essence, this way you wouldn't be forced using the same VIP range for the servers and for the clients as well. You can have a private range on the back-end. This prevents traffic being targeted to your server segment from the client segment in the clear http in your case.
thanks
