Firewall Wizards mailing list archives
RE: Arch questions
From: "Warrington Bruce - bwarri" <bruce.warrington () acxiom com>
Date: Mon, 15 Aug 2005 11:36:36 -0500
The questions I have are: 1/ Someone has recently mentioned the idea of using private adressing bewteen the inet > rtr and the firewall, with public adressing on the
web.
What are the pros and cons?
You can save a few IP addresses by not using up a /29 block for the network devices themselves. (2 physical + 1 virtual for both the pair of routers, and the pair of firewalls). Does losing 8 of your routable IP addresses mean anything to you for the number of addresses you have and the number of these you need to setup? If not, don't worry about it. The firewall won't be any more or less secure if you go either way. I am assuming that you're not going to try to make the firewall outside subnet bigger than it needs to be and allow servers to sit on the subnet between the firewall and the router, which is a much bigger security concern.
3/ My research shows I need to have specfic certs (Apache and one other) for *each* webserver behind the Big IP. Anyone have any experience with F5 Big ip 1500s?
You can offload the SSL certs to the BigIP, but the requirement of buying a cert per web server is a contractual requirement, not a technical one. The BigIP provides a speed improvement by not requiring your web server to any of the crypto, and also gives you a LOT more options for load balancing. Remember, if you do SSL on the web server, the BigIP can't see the traffic as anything but encrypted packets going to an IP address, so it can't do very much but spread the connections around to your pool of servers. If the BigIP opens up the SSL traffic because it's handling that part, it can see the http traffic, and that gives you many other options of things the BigiP can do for you for load balancing, session persistence, rule writing, redirection, etc. You technically only need 1 SSL cert on the BigIP itself, but legally that won't fly. If you read the fine print (or call your SSL cert vendor of choice) they'll make it very clear that using a BigIP does NOT change your requirement for the number of certs you're supposed to buy. It's similar to the case of using your web server to front end your database, where the database vendor won't let you drop your enterprise license and convert to a single user copy just because you found a way to hide the number of users from it. Technically yes, legally no, so consider that before you change your licensing model. ************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. ************************************************************************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Arch questions Mike LeBlanc (Aug 12)
- RE: Arch questions Paul Melson (Aug 12)
- <Possible follow-ups>
- RE: Arch questions Warrington Bruce - bwarri (Aug 26)