Forum Discussion
Mike_Maher
Dec 05, 2012Nimbostratus
So I partially agree with Josh's statement.
Yes you can use Big-IP LTM as a layer 3/4 firewall in front of your web servers, and it will perform very well in that function. I like the suggestion on using cloaking iRules it is essentially just obfuscation but taking away low hanging fruit in the security world is essential if you ask me. One other thing you will want to do is to apply an http profile to the VS as this will help mitigate any network attacks that are not http compliant like slowloris.
There are a variety of other things with in iRules that you can do as well to take out the known bad guys by using IP Intellegence (if you subscribe and if you are on v11.x ) and/or Geolocation to restrict access from certain countries.
Now don't get me wrong this is all good stuff and should be protections that if you don't have in place you want to have in place, and you are doing more with Big-IP and getting more capacity than most traditional network firewalls will give you. However while all of this is great it is essentially just layer 3 and 4 protection with some higher layer stuff sprinkled in here and there. Also for the more advanced protections here you are relying on iRules rather than out of the box features.
So as a Security professional I would personally recommend looking an implementing ASM here in the DMZ to provide the protection at layer 7 that you need to do the proper security for a web server.
Simquest - After reading your post again it almost seems like you are asking if you can replace the Apache web server with LTM in the DMZ and go Internet --> DMZ LTM --> Internal network Tomcat Servers, as opposed to Internet --> DMZ LTM --> DMZ Apache Server --> Internal Network Tomcat Server. Did I read that correctly? One question I have is do you have an LTM on the internal network?