AW: F5 and Load Balancing

["Raimar Melchior" <r.melchior () telonic de>]

The best and cost-effective way would be two buy two F5 boxes and configure
them in HA. There is no need to buy two extra boxes for separation (sales
guy would be very pleased !). If you have enough money invest it for the ASM
(application security module), rather than to buy more boxes.  More boxes
need more administration tasks. They are well hardened and have a modified
TCP-Stack (TMOS). Configure VLANs for separation and NAT to protect the
nodes behind LTM (current boxes are called local traffic manager, not
bigip). 

What do you mean with web tier ? Do you want to place the F5 directly in
front of the internet with no firewall in front ? If yes, disable all
unneeded services on the box, configure TCP wrappers and keep the system
up-to-date.

- Raimar

-----Ursprüngliche Nachricht-----
Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im
Auftrag von Ethan_Steiger () Polk com
Gesendet: Dienstag, 16. Januar 2007 19:10
An: security-basics () securityfocus com
Betreff: F5 and Load Balancing

My Network group would like to leverage F5's bigIP products to do load
balancing in both the Web tier as well as the application tier of our
networks. While I take no issue with that approach, I do have a level of
paranoia regarding them using the same physical device. Am I justified in my
concern? Should I require them to purchase two additional F5s for this
implementation (HA configuration) or should I allow them to use the same F5
and use VLANS to separate them? What is the threat of using the same device?
Does the costs justify the added expense?

Lots of questions.

Thanks,
Ethan

______________________________
Ethan Steiger, CISSP=20
Chief Security Officer
Polk Global Automotive=20



ethan_steiger () polk com