security concern about BIGIP SSL connection

It's possible for user B to use the same connection but user B would most likely be in a separate session. One of the ways to strengthen up the communication is to basically have a SSL connection between Client ---> BIGIP --> Server. This way you have end to end encryption.

 

 

My 2 cents,

 

CB

dupe

That is a legitimate concern. In pre-v10 you can set a /32 mask on the OneConnect profile to ensure that the serverside TCP connection is only re-used for the same client IP address. In pre-v10, if you have multiple clients connecting from the same IP address to an app that uses NTLM, it would probably be best to not use OneConnect on the VIP.

 

 

 

SOL10477: Optimizing NTLM traffic in BIG-IP version 10.x

 

https://support.f5.com/kb/en-us/solutions/public/10000/400/sol10477.html

 

 

However, since NTLM is connection-oriented and allows multiple requests on the same connection without re-authentication, issues can occur after the initial handshake when the OneConnect feature adds NTLM-authenticated requests to the connection pool to potentially be reused by unauthenticated client(s). Prior to version 10.0.0, this issue could be mitigated or avoided only by using special techniques such as:

 

 

* Configuring the OneConnect source mask feature to limit serverside flows by subnet or to the original client IP address

 

* Configuring an iRule to disable the OneConnect profile for NTLM, or to provide special handling for NTLM

 

 

 

 

In v10, you can use the NTLM profile with OneConnect as described in SOL10477.

 

 

Aaron