BigIp LTM - Apache and Tomcat dmz

Simquest,

 

 

Ah, the age old question... Trust. Who to trust, can we trust it, will it break?

 

 

So my response, and I'm biased, is yes, you can trust the F5. But, there is always a configuration danger (typically misconfiguration, etc)

 

 

Does this look like the architecture you are thinking:

 

 

Wild internets !!!!!!! ----------> DMZ [ F5 LTM ] -----> LAN [ Database servers, apache webservers ]

 

 

If that is the case, I can 100% support this plan. Essentially, you are using the F5 as your firewall, as well as the Loadbalance and acceloration. The platform can for sure handle it.

 

 

Couple of things to consider:

 

- Make sure that all virtuatls that listen on the internet vlan are only for IP's,etc that you want exposed

 

- Are you going to use the LTM as a loadbalancer for the DB's? If so, make sure you've got the Virtual configured and listening on the apache webservers vlan. (if the apache servers are going to go straight to DB's, no need for that)

 

- Consider using some of the LTM service cloaking iRules for apache (https://devcentral.f5.com/tutorials/tech-tips/security-irules-101-engage-cloak)

 

 

All in all, I can say 100% that not only is it a good idea, but many many people run in the same/similar fashion.

 

 

-Josh

 

DC security

So I partially agree with Josh's statement.

 

 

Yes you can use Big-IP LTM as a layer 3/4 firewall in front of your web servers, and it will perform very well in that function. I like the suggestion on using cloaking iRules it is essentially just obfuscation but taking away low hanging fruit in the security world is essential if you ask me. One other thing you will want to do is to apply an http profile to the VS as this will help mitigate any network attacks that are not http compliant like slowloris.

 

 

There are a variety of other things with in iRules that you can do as well to take out the known bad guys by using IP Intellegence (if you subscribe and if you are on v11.x ) and/or Geolocation to restrict access from certain countries.

 

 

Now don't get me wrong this is all good stuff and should be protections that if you don't have in place you want to have in place, and you are doing more with Big-IP and getting more capacity than most traditional network firewalls will give you. However while all of this is great it is essentially just layer 3 and 4 protection with some higher layer stuff sprinkled in here and there. Also for the more advanced protections here you are relying on iRules rather than out of the box features.

 

 

So as a Security professional I would personally recommend looking an implementing ASM here in the DMZ to provide the protection at layer 7 that you need to do the proper security for a web server.

 

 

Simquest - After reading your post again it almost seems like you are asking if you can replace the Apache web server with LTM in the DMZ and go Internet --> DMZ LTM --> Internal network Tomcat Servers, as opposed to Internet --> DMZ LTM --> DMZ Apache Server --> Internal Network Tomcat Server. Did I read that correctly? One question I have is do you have an LTM on the internal network?