Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Load balancer in lieu of firewall...

From: Marc Alberts <m.alberts () f5 com>
Date: Wed, 2 Jun 1999 07:21:37 -0700 
I just thought I would put out the truth from the F5 Networks point of view on this:  BIG/ip is not a firewall.  BIG/ip 
does have the sort of IP filtering that Chris describes for routers--you have to explicitly allow port traffic--but I 
would not call it a firewall or a firewall replacement by any means if you are really concerned about security. 
I hope John sees this, because I think he has the key to his answer in his text when he describes his need for a 
"reasonably secure" site.  What is reasonably secure?  If your needs are for IP filtering and nothing more, than you do 
not even have to burden the router CPU with the functionality if you have BIG/ip.  If you need active virus scans on 
packets going through the bastion host, then by all means you should go buy a Guantlet or a similar firewall with that 
functionality, as you won't get it out of BIG/ip either now or in the future.  The real consideration is the cost, and 
what the additional security beyond IP filtering really gets you.
By the way, the posting by Scott Brown was correct in assuming that we have customers using BIG/ip to load balance 
multiple firewalls and make them a single, high-throughput gateway.  But it wasn't the Army.  However, the customer was 
using the Network Associates Gauntlet firewalls :-)
I hope this helps.
Marc Alberts
F5 Networks, Inc.

At 09:51 AM 5/24/99 , John Nanas wrote:

We've been investigating load balancers for a new website that we're going to launch. The site has to be reasonably 
secure, which is why we've allocated budget for a firewall as well as a load balancer. The makers of the BigIP, F5 
Labs, assure us that the packet filtering features of their load balancer are sufficient, and that we don't need a 
firewall.

In response, Chris Michael of Network Associates wrote:

If you're running a web server farms you probably want to use routerfiltering to block traffic on all non-essential 
ports. After that, youcould use whatever packet filtering is built into the load-balancing stuff.
Previous By Date Next
Previous By Thread Next

Current thread: