Re: BigIP controller - any issues?

[Chris Shenton <cshenton () uucom com>]

On Thu, 30 Sep 1999 11:25:06 +0100, "Cleaver, Richard J" <Richard.Cleaver () capgemini co uk> said:

Cleaver,> I have been asked to investigate the effect of implementing
Cleaver,> the BigIP Controller from F5 networks. It has been proposed
Cleaver,> to place this device (of which I have no experience) on the
Cleaver,> dirty side of internet facing firewalls to achieve firewall
Cleaver,> load balancing. Does anyone know of any security issues with
Cleaver,> this device?

It's a UNIX box under the covers, BSDI. They seem to have done a good
job of locking it down and are ssh-aware. Tho I was surprised to see
they had IP forwarding enabled so I could route right through it. 

You'll need two, if you're interested in fault-tolerance -- which is
why you're getting the BIG/ip in the first place I expect. For what
they do, I think they're a bit pricey. RND has a "fireproof" product
which does this, but I've grown to loathe their interface for normal
load balancers, and their tech support (human and online) leaves a lot
to be desired. Foundry has very cost-effective balancing switches
which can be done as dual redundant pairs and I've found their humans
quite responsive; only have a little hands on with this product though
-- talk to them to see if they'll satisfy your application.

I don't think any of the classic balancers can recover a session's
state if the firewall it's using dies. There are a couple vendors who
sell solutions specific to CheckPoint Firewall-1 but I'm unaware of
fault-tolerant solutions for Gauntlet. We're planning on doing it with
dynamic routing with our routers and back-end servers.