Saturday, November 4, 2023

Vulnerability Management - Scanning approach to Load Balancers

As we all know how much important are high availability solutions these days. A load balancer (LB) is one such system which provides high availability apart from various other features such as security, scalability and performance. 

A LB is a device or software that sits between clients and servers in a network. It distributes incoming traffic across multiple servers to ensure that the load is balanced and network services remain available. LBs are by their very nature intended to hide what is behind them. 

But scanning through a LB can create unwanted results. As it directs network traffic intelligently among multiple servers, when you scan THROUGH a LB using a VIP, you will get different results for the same VIP address for multiple scans. 

Following issues may arise while scanning through LB:

  • Scanning LBs will show any vulnerabilities of the LBs themselves, which may lead you to thinking that the vulnerability is on the actual server when it is not.
  • Scanning through LBs, assuming there are multiple servers behind those LBs, may give you different results each time you scan the IP. For example, the first scan you hit Server1, then second scan you hit Server2. If those servers are not completely the same the results can show variations.
  • Suppose you are scanning a /24 subnet with 10 assets or so, due to high intensity of the scan, LBs may go into hardware protection mode and just send a reply for every single query that a scanner makes to it. This will result in 255 assets showing alive. 

Hence, you should never scan THROUGH a LB. Either deploy agents, or place a scanner on the inside network of the LB. To scan a LB itself you would need to use its management IP address. 

When scanning using a Virtual IP Address (VIP), currently from scanning solution's perspective, there isn't a way to tell whether an IP address is a VIP or not. You would need to write a script to pull the configs from the LBs and pull the VIPs. 

Please refer the below URLs for more details:

What is a LB? (https://aws.amazon.com/what-is/load-balancing/#:~:text=Load%20balancers%20increase%20the%20fault,or%20upgrades%20without%20application%20downtime)

Scanning approach to LBs (https://community.tenable.com/s/question/0D5f200005YPgFsCAL/scanning-approach-to-load-balancers?language=en_US)

What is a Virtual IP Address (VIP)? (https://www.pubconcierge.com/blog/virtual-ip-what-is-it-and-how-it-works/


Happy Learning !!

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Vulnerability Management - Understanding vulnerability posture

Understanding the vulnerability posture of an organisation at a basic level helps you drive remediation efforts. So, I don't know what t...