Is NLB secure?

[DerekK]

Recently, after some testing, I builded an NLB "cluster" in one of our webservers (actually, in the one we already had and in a new one ).

It works fine but since that I'm able to sniff the traffic between the members of the nlb and its clients from whatever else computer on the network in promiscuous mode...

Is that normal?
Why does it happens if no one of the destination address (ethernet, ip) is broadcast?

Any haelp would be appreciated.

Thank you.

[SirDice]

Originally posted here by DerekK
Why does it happens if no one of the destination address (ethernet, ip) is broadcast?

How's everything connected? Using hubs or switches?

If it's hubs, it's normal.
If it's switches, it's not. Maybe your switch is in a fail-open state? Switches tend to do this if they see multiple MAC addresses (layer2) using the same IP address (layer3). It freaks out the switch and to prevent connection loss due to the failure it effectively becomes a hub. You may need to configure your switch specifically for the NLB cluster machines.

[DerekK]

Ok, let me explain myself:

I've two NLB cluster, both with two nodes with two NIC's each. They are independent with their own ip's and applications.

One of them have the "public" NIC's of both servers connected to the LAN and the "private" ones connected with a crossover cable.

The other cluster have the same configuration for the "public" interfaces but the "private" ones are connected to the same switch to a two ports which are configured as an untagged VLAN.

I can sniff packets between clusters and them clients in both cases.

Colud you explain me little bit more about this fail-open state? In that case, should I be able to sniff the traffic of the other machines attached to that switch?

Thank you very much.

[SirDice]

Still not sure but I'm assuming the following (let's concentrate on 1 cluster at a time ):

ClusterA consists of NodeA and NodeB. NodeA and NodeB are connected using a crosscable on interface2. Interface1 of NodeA and NodeB has a LAN IP address. ClusterA also has a virtual IP address?

http://www.microsoft.com/technet/pro...ing/nlbbp.mspx

[DerekK]

Good idea, once at a time.

Defs:

Public interface: The one which have configured the cluster IP and another one in the same network and serves the application to the clients. It is attached to the LAN.

Private interface: The one tha's suppose to send the heartbeats between the nodes of the cluster and has another network's ip address. It is attached to the other server's private interface through a crossover cable.

Cluster A:
Public interface: 192.168.69.175, 192.168.69.94
Private interface: 10.29.0.1

Cluster B:
Public interface: 192.168.69.175, 192.168.69.95
Private interface: 10.29.0.2

Am I more clear now?


I hope so.

[SirDice]

Ah, yes

192.168.69.175 is the cluster's virtual IP address. Clients use this to connect to your cluster. But because 2 different machines (read NICs) respond to this address the switch they are connected to can get confused. A switch usually manages a table with MAC<->IP address translations so it knows which machine is connected to which port. When it gets confused it'll send the traffic to all it's ports. This is called fail-open and it basicly turns your switch into a hub.

Do you use layer2 or layer3 switches? What type/brand?

Found this:
http://www.cisco.com/en/US/tech/tk38...8011b481.shtml
http://support.microsoft.com/default...b;en-us;193602

[DerekK]

Fortunatelly we use SSL, but still is quite scary to think that we are broadcasting the sessions between the clients and the webservers to network.
We use 3com switches. By now I'm checking with a portable computer and ethereal that, in fact, the switches are broadcasting that sessions.
One more question: If the switches are in fail-open, should them broadcast all the packets to all ports or only the ones which destination address is the nlb cluster's vistual address?

[SirDice]

Originally posted here by DerekK
One more question: If the switches are in fail-open, should them broadcast all the packets to all ports or only the ones which destination address is the nlb cluster's vistual address?

Because the switch doesn't know which IP address belongs to which port it'll send the packets to all ports.. (don't use the term broadcast in this context, broadcasts are an entirely different beast, it'll get confusing )..

[DerekK]

Ok, sorry for the broadcast.

But I meant, which are the packets coming to all ports, the ones which are addressed to the virtual address or every packet that enters in the switch will be redirected to all ports?

And, what should be the solution? Just add the "MAC - port" to the ARP table of the switch?

And... how can I assign more than one port to the same MAC address?

[SirDice]

If the switch is in a fail-open state it'll copy any packet from any port to all it's ports..

As for the solution.. It depends on how you've setup NLB (unicast/multicast) and what type of switch you use (layer2 or 3)..

If you connect Network Load Balancing hosts with a switch, the switch must be layer 2 instead of layer 3 or higher, because all the hosts share the same IP address (the cluster IP address), and layer 3 switches direct network packets (incoming client requests) according to the IP address of the destination computer.

http://support.microsoft.com/default...b;en-us;193602