Security Basics mailing list archives
AW: F5 and Load Balancing
From: "Raimar Melchior" <r.melchior () telonic de>
Date: Fri, 19 Jan 2007 10:12:19 +0100
LTM v9.x routes between the configured L3-VLANs per default. To restrict traffic between each VLAN you can configure a Packetfilter on LTM. Cheers Raimar -----Ursprüngliche Nachricht----- Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im Auftrag von Andre Christian Gesendet: Mittwoch, 17. Januar 2007 20:53 An: 'Raimar Melchior'; Ethan_Steiger () Polk com; security-basics () securityfocus com Betreff: RE: F5 and Load Balancing I have this exact question regarding the security of the F5s spanning multiple tiers. Do the F5s route across the VLANS that are configured? You cannot force the servers to forward the traffic to the firewalls and respond to queries via the f5s simultaneously. The firewalls will complain of asymmetric routing. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Raimar Melchior Sent: Wednesday, January 17, 2007 12:30 PM To: Ethan_Steiger () Polk com; security-basics () securityfocus com Subject: AW: F5 and Load Balancing The best and cost-effective way would be two buy two F5 boxes and configure them in HA. There is no need to buy two extra boxes for separation (sales guy would be very pleased !). If you have enough money invest it for the ASM (application security module), rather than to buy more boxes. More boxes need more administration tasks. They are well hardened and have a modified TCP-Stack (TMOS). Configure VLANs for separation and NAT to protect the nodes behind LTM (current boxes are called local traffic manager, not bigip). What do you mean with web tier ? Do you want to place the F5 directly in front of the internet with no firewall in front ? If yes, disable all unneeded services on the box, configure TCP wrappers and keep the system up-to-date. - Raimar -----Ursprüngliche Nachricht----- Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im Auftrag von Ethan_Steiger () Polk com Gesendet: Dienstag, 16. Januar 2007 19:10 An: security-basics () securityfocus com Betreff: F5 and Load Balancing My Network group would like to leverage F5's bigIP products to do load balancing in both the Web tier as well as the application tier of our networks. While I take no issue with that approach, I do have a level of paranoia regarding them using the same physical device. Am I justified in my concern? Should I require them to purchase two additional F5s for this implementation (HA configuration) or should I allow them to use the same F5 and use VLANS to separate them? What is the threat of using the same device? Does the costs justify the added expense? Lots of questions. Thanks, Ethan ______________________________ Ethan Steiger, CISSP=20 Chief Security Officer Polk Global Automotive=20 ethan_steiger () polk com
Current thread:
- F5 and Load Balancing Ethan_Steiger (Jan 16)
- RE: F5 and Load Balancing Stachowicz, Mark (Jan 17)
- RE: F5 and Load Balancing Hayden Searle (Jan 17)
- AW: F5 and Load Balancing Raimar Melchior (Jan 17)
- RE: F5 and Load Balancing Andre Christian (Jan 17)
- AW: F5 and Load Balancing Raimar Melchior (Jan 19)
- RE: F5 and Load Balancing Andre Christian (Jan 17)
- Re: F5 and Load Balancing Bryan Andrews (Jan 17)