AW: F5 and Load Balancing

["Raimar Melchior" <r.melchior () telonic de>]

LTM v9.x routes between the configured L3-VLANs per default. To restrict
traffic between each VLAN you can configure a Packetfilter on LTM.

Cheers
Raimar  

-----Ursprüngliche Nachricht-----
Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im
Auftrag von Andre Christian
Gesendet: Mittwoch, 17. Januar 2007 20:53
An: 'Raimar Melchior'; Ethan_Steiger () Polk com;
security-basics () securityfocus com
Betreff: RE: F5 and Load Balancing

I have this exact question regarding the security of the F5s spanning
multiple tiers. Do the F5s route across the VLANS that are configured?

You cannot force the servers to forward the traffic to the firewalls and
respond to queries via the f5s simultaneously. The firewalls will complain
of asymmetric routing. 



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Raimar Melchior
Sent: Wednesday, January 17, 2007 12:30 PM
To: Ethan_Steiger () Polk com; security-basics () securityfocus com
Subject: AW: F5 and Load Balancing

The best and cost-effective way would be two buy two F5 boxes and configure
them in HA. There is no need to buy two extra boxes for separation (sales
guy would be very pleased !). If you have enough money invest it for the ASM
(application security module), rather than to buy more boxes.  More boxes
need more administration tasks. They are well hardened and have a modified
TCP-Stack (TMOS). Configure VLANs for separation and NAT to protect the
nodes behind LTM (current boxes are called local traffic manager, not
bigip). 

What do you mean with web tier ? Do you want to place the F5 directly in
front of the internet with no firewall in front ? If yes, disable all
unneeded services on the box, configure TCP wrappers and keep the system
up-to-date.

- Raimar

-----Ursprüngliche Nachricht-----
Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im
Auftrag von Ethan_Steiger () Polk com
Gesendet: Dienstag, 16. Januar 2007 19:10
An: security-basics () securityfocus com
Betreff: F5 and Load Balancing

My Network group would like to leverage F5's bigIP products to do load
balancing in both the Web tier as well as the application tier of our
networks. While I take no issue with that approach, I do have a level of
paranoia regarding them using the same physical device. Am I justified in my
concern? Should I require them to purchase two additional F5s for this
implementation (HA configuration) or should I allow them to use the same F5
and use VLANS to separate them? What is the threat of using the same device?
Does the costs justify the added expense?

Lots of questions.

Thanks,
Ethan

______________________________
Ethan Steiger, CISSP=20
Chief Security Officer
Polk Global Automotive=20



ethan_steiger () polk com