Forum Discussion
1 Reply
Sort By
- What_Lies_Bene1Cirrostratus
In the first instance I'd suggest you work you way through this: http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13092.html.
Here's a quick and dirty list of things I think about where the HMS is concerned (includes some of the above) - most of these would apply to any Linux system;
- DDos settings (defaults are generally good) see here: https://f5.com/solutions/architectures/ddos-protection/ddos-exclusive
- Management access and source IP restrictions, idle times, banners etc.
- SSH ciphers for management access
- SSL ciphers for management GUI access
- User roles, admin partitions etc.
- Audit logging
- SNMP community and restrictions
- NTP security
- Local password policy
- Disable root account (perhaps admin too)
- Local and remote logging
- Port Lockdown
- Implement packet filters on the management interface (v11.3 onwards)
And then for LTM;
- Use OneConnect to minimise server impact
- Use Deferred Accept
- Disable Reset on Timeout
- Consider SSL ciphers and settings carefully
- Reduce idle timeouts if necessary
- VLAN Source check
- VLAN keyed connections
- QoS/Rate Limiting/shaping
- Use iRules to protect against basic attacks
- Connection rate limits