Forum Discussion

ahmad_2312's avatar
ahmad_2312
Icon for Nimbostratus rankNimbostratus
Feb 27, 2010

best practice to deliver Multiple Applications

Hello

 

Good Day;

 

 

What is the best practice that you recommend for us to deliver two different Applications that shouldn’t be overlapped ? is using 1 appliance for each application is considered good choice for securely separate each application from the other ? what is the scenario used by your costumers for examples Banks..

 

 

If using same appliance to deliver internal and external applications, what is the probability that F5 Appliance will get hacked and the hacker can switch to internal Application ?

 

 

What is the best practice for high availability (Active-Active) or (Active- Standby) ?
config
design

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 01, 2010
    Hi Ahmad,

     

     

    F5 doesn't (yet?) provide a completely virtualized appliance like Cisco where you can assign CPUs, memory and networks to individual contexts. But there are many options for isolating one set of clients/apps from other sets of clients/apps on LTM. It really comes down to your security requirements and budget for which approach you take.

     

     

    A major bank I work with in the UK has separate LTM pairs for each of their applications. Though for cost reasons, they're starting to investigate a shared architecture to host multiple apps through a single LTM pair. Another bank uses two pairs of LTMs with separate DMZ's between each but all apps on the same set of VLANs. Other large customers separate the apps using VLANs. Still others use routing domains to enforce network layer separation between different applications and client bases.

     

     

    For a VLAN based solution, you can use a configuration described by Denny in this post:

     

     

    htp://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&tpage=1&view=topic&postid=2097922930

     

     

    I recently set this up with routing domains for a customer who wanted to segregate their public to DMZ server traffic from internal users to internal servers. The advantage to route domains is that you can use overlapping subnets for each client. It also provides an additional layer of protection against misconfiguration of LTM allowing traffic to mix between the two sets of VLANs. I don't think the additional complexity in configuration is worth it though, if you don't need to support overlapping subnets.

     

     

    There have been remotely exploitable vulnerabilities in LTM and other modules. But they aren't found frequently, and F5 provides quick fixes when issues have been discovered. If it's a very critical set of apps that justify the cost of separate devices, then you can always pay for separate pairs. Most customers I've worked with have found this risk doesn't justify the cost though.

     

     

    As far as the redundancy configuration, LTM does support active-active. But it's not an implementation I like. There is potential for you to load the units past 50% capacity and lose redundancy. It also complicates the configuration as you need to assign VIPs to specific units.

     

     

    Aaron