Cisco Cisco IOS Software Release 12.2(18)SXF
17
IOS Server Load Balancing Feature in IOS Release 12.2(18)SXF7
Features
Avoiding Attacks on Server Farms and Firewall Farms
IOS SLB relies on a site’s firewalls to protect the site from attacks. In general, IOS SLB is no more
susceptible to direct attack than is any switch or router. However, a highly secure site can take the
following steps to enhance its security:
susceptible to direct attack than is any switch or router. However, a highly secure site can take the
following steps to enhance its security:
•
Configure real servers on a private network to keep clients from connecting directly to them. This
configuration ensures that the clients must go through IOS SLB to get to the real servers.
configuration ensures that the clients must go through IOS SLB to get to the real servers.
•
Configure input access lists on the access router or on the IOS SLB device to deny flows from the
outside network aimed directly at the interfaces on the IOS SLB device. That is, deny all direct flows
from unexpected addresses.
outside network aimed directly at the interfaces on the IOS SLB device. That is, deny all direct flows
from unexpected addresses.
•
To protect against attackers trying to direct flows to real or nonexistent IP addresses in the firewall
subnet, configure the firewalls in a private network.
subnet, configure the firewalls in a private network.
•
Configure firewalls to deny all unexpected flows targeted at the firewalls, especially flows
originating from the external network.
originating from the external network.
Slow Start
In an environment that uses weighted least connections load balancing, a real server that is placed in
service initially has no connections, and could therefore be assigned so many new connections that it
becomes overloaded. To prevent such an overload, slow start controls the number of new connections
that are directed to a real server that has just been placed in service.
service initially has no connections, and could therefore be assigned so many new connections that it
becomes overloaded. To prevent such an overload, slow start controls the number of new connections
that are directed to a real server that has just been placed in service.
GPRS load balancing and the Home Agent Director do not support slow start.
SynGuard
SynGuard limits the rate of TCP start-of-connection packets (SYNchronize sequence numbers, or SYNs)
handled by a virtual server to prevent a type of network problem known as a SYN flood denial-of-service
attack. A user might send a large number of SYNs to a server, which could overwhelm or crash the
server, denying service to other users. SynGuard prevents such an attack from bringing down IOS SLB
or a real server. SynGuard monitors the number of SYNs handled by a virtual server at specific intervals
and does not allow the number to exceed a configured SYN threshold. If the threshold is reached, any
new SYNs are dropped.
handled by a virtual server to prevent a type of network problem known as a SYN flood denial-of-service
attack. A user might send a large number of SYNs to a server, which could overwhelm or crash the
server, denying service to other users. SynGuard prevents such an attack from bringing down IOS SLB
or a real server. SynGuard monitors the number of SYNs handled by a virtual server at specific intervals
and does not allow the number to exceed a configured SYN threshold. If the threshold is reached, any
new SYNs are dropped.
IOS SLB firewall load balancing and the Home Agent Director do not support SynGuard.
Server Failure Detection and Recovery Features
IOS SLB provides the following server failure detection and recovery features:
•
•
•
•
•
•
•