Situation:  Acme Corp is running at Mach 3, preparing to release the latest and greatest widget site of awesomeness. 

The monkeys are ready, the bananas are ordered and the roller-skates on en route. In the first chapter of “Security is hard” , we performed the design gathering and white boarding.


With the data we gathered from meeting with the development team, we were able to draft out a good plan for securely providing the accesses and resources the business needs.  
monk1

 

But, as many have said, talk is cheap!  Let’s us be monkeys of action! 

Let’s look at a quick method to get this up and running. We are sticking to the KISS method  (Keep It Simple Simian), for now anyways.

Purpose

IP

OS

File Server 3.3.3.4 Ubuntu 11
Application Server 4.4.4.3 Ubuntu 11
Database Server 5.5.5.10 Ubuntu 11
Bob.com Server 172.22.59.37 Ubuntu 11
LTM Virtual Edition 172.22.59.35 Bigip 11.2.1 VE
 

KISS Implementation

Step one

Make sure the LTM  has connectivity with all the resources that are needed.  If the vlans are already configured, just run your ping checks (ping each server).  If the vlans are not configured, we need to get them setup.  

Network –> vLans,

image
vLan Name vLan Tag IP Range
dnet3 4000 3.3.3.0/24
dnet4 4093 4.4.4.0/24
h3 4092 5.5.5.0/24
Public Access 4094 172.22.59.0/24

Then we will need to setup the self IP’s for the LTM.

Network –> Self IPs

vLan Self IP
dnet3 3.3.3.3
dnet4 4.4.4.4
h3 5.5.5.5
Public 172.22.59.35
image

 

Step two:

Build the Pool and virtual server for the application Server. 

Keeping it simple,  Create dnet4-80  with a HTTP monitor.  It goes green, woot! 

 

image

Dnet4-80 Pool:

Health Monitors: http

Members: 4.4.4.3:80

The front end virtual server “acmewidget”.

 

Acmewidget VS:

Destination: 172.22.59.40

Port: 80

SNAT Pool: Automap

Default Pool: dnet4-80

image

 

It listens on port 80,  SNATs the traffic automatically, and sends it forward to 4.4.4.3.  

Done? eh,   Not so fast there mister.   How is the application server gathering all it’s pieces?  Does it have network access to the file server or the DB server?  What if we want a pair of file servers for when things get busy?  

Step three:

This one might be controversial, but it’s my network, so I am going to do it.  I set my LTM as the default gateway for the application server.  Then, I configure a ip forwarding virtual server, listing on only the application vLan (dnet4).  This allows the application server to use the ltm for routing it’s traffic,

IP Forwarding Virtual Server:

Destination: 0.0.0.0

Mask: 0.0.0.0

Port: All

Protocols: All

VLANs and Tunnels: Enabled on dnet4 (only listen for connections on dnet4)

Snat Pool: Automap (for our simple config, if we were building production, we would want to find a snat pool)

image

So now the LTM can talk to all the pieces, the application can get out to the world to get data, and the virtual server is in place.

Let’s test it: 

image

 

Well that is one happy monkey!  What does it look like in a network diagram?

image

 

Is this the end of our merry chase?  We could go forth with this, give it to the dev team and say “have fun ya’ll!”.  But there is still so much we can do here.  What improvements should we make?  I know mike called out a couple really good ideas in the previous article.  How about ways  we increase the resiliency of our application chain, accelerate the application, and add defense to protect our app from attack?

 

POST YOUR IDEAS!  Then, we shall finish this trilogy…. Return of the Security Monkey.