Routing of DMZ F5 traffic to internal F5 traffic

Question

I have a design / functionality question. I have a DMZ server that I'll be bringing into our internal network but will be fronting it will the F5 appliance in our DMZ. The question I has is two fold... (1) Would it be good practice to have the traffic coming from the DMZ F5 to the internal F5 and then to the backend vs? (2) Because I have to enter firewall rules for each server that we are bringing inside and fronting with the F5, would it be good practice to simply setup one set of ACLS to allow the DMZ and Internal f5's to talk with each other and then edit the firewall acl with a new port each time we add new functionalty?

mimlo_61970 · Accepted Answer

I wouldn't consider it best practice, but people have their own opinions.  Ask yourself this, would you open a rule up from the Internet direct to an internal server?  If not, what protection do you think the F5 is adding to this connection to make your scenario better?  Assuming you are just talking about LTM, it is working as a proxy and terminating the connection, but for the most part it will pass all application traffic, including application attacks/exploits, right through to your internal server.  &nbsp;
As far as routing and firewall rules, that is configuration dependent, but I don't think you can just create a rule allowing DMZ F5 to talk to internal F5.  Your traffic will go through the external F5 and have some source IP(defined by if SNAT is enabled, what snat pool you use, or automap) to a destination of the internal virtual server.  I imagine you will need a separate rule for each VS you want to work this way.&nbsp;

arie · Answer

I agree with @mimlo that your configuration wouldn't be best practice nor provide the best security architecture.&nbsp;
Having said that, you could use Route Domains on the BIG-IP as part of the solution. That would provide an additional layer of security and potentially keep you from having to configure each server individually on the firewall.&nbsp;

hamish · Answer

It would be rare I'd open up an INTERNAL server just by access from BigIP (LTM). To mitigate, I'd make sure that it was well protected... By strong auth, APM and ASM etc. (Which are designed to allow secure access inbound). &nbsp;
If not, then I wouldn't like to do it...&nbsp;
H&nbsp;

mimlo_61970 · Answer

As an example of why this is bad, consider a recent exploit, shellshock.  If you were running a Linux webserver using CGI that was vulnerable, an LTM would happily pass the exploit through.  The example I used to test internally was a specially crafted cookie containing the exploit that setup a reverse ssh session.  In the above scenario, that would give the attacker a shell on your internal server.  Yes there are irules to stop shellshock, and asm will now block it, but day 0 none of that was there, and sometimes things are being exploited in the wild before they are disclosed and patched.&nbsp;
Like Hamish said, I do this under only one set of circumstances, APM handling authentication and ASM as a frontline defense.  Most solutions are for unauthenticated traffic ruling out APM, which means the server goes in the DMZ.&nbsp;

hamish · Answer

Some simple rules I like to (At least try to) follow. &nbsp;
All inbound connectivity must terminate at the DMZThere is a change of protocol between DMZ and internal (i.e. Not just a simple proxy onwards).No data in the DMZNo accessing shared drives from DMZ back to internalNo interactive inbound connectivity from DMZ to internalNo interactive inbound connectivity from external to DMZObviously things that are DESIGNED to allow inbound interactive connectivity break some of these. e.g. RAS via APM. But that should be protected via STRONG authentication. e.g. two-factor like securIDAccepting inbound files from users is dangerous. Quarantine &amp; verify accordingly.
There's more of course... &nbsp;
H&nbsp;

mpete32_168869 · Answer

That's technically what we're attempting to do is to use the DMZ F5 as a proxy eliminating having to place any servers in the DMZ.

Forum Discussion

Routing of DMZ F5 traffic to internal F5 traffic

7 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Routing traffic by URI using iRule

2 internal server vlans

LTM policy to route traffic to different pools

Route traffic to specific sorry server path

fellow traffic