F5-LTM 11.5.4 mac-masquerade

Question

I have 2ea BIG-IP F5 vCMPs in an HA setup running version 11.5.4. The F5 is in routed mode where the server farms behind it are on different network segments/vlans with their default gateway residing on the F5 itself. The security folks want to mitigate a man-in-the-middle attack by setting up mac-masquerading but I think this will do more harm than good. If the masqueraded mac is on the traffic group now all vlans have the same mac-address and if that mac is compromised the attack surface is larger now than when each vlan had it's own unique mac (without mac masquerade). I understand that mac masquerade is good for arp/failover reasons, but I don't believe it is a man-in-the-middle preventative measure? Any guidance would assist us in our design.

hannes_rapp · Answer

I see no obvious security advantages of using MAC Masquerade either. Perhaps they want it to reduce L2 noise instead? When Masquerade is used, multiple originating BigIP (L2 Server-Side) MAC addresses will be contracted to just one. This adds to clarity on the wire as a BigIP middle-ware device is easily distinguishable from the other addresses, possible clients. To some extent, this will contribute to ease of sniffing, monitoring/surveillance. As a security enhancement, I don't buy the idea. As a security enhancement through added clarity, it might be a valid thing to ask for.

Forum Discussion

F5-LTM 11.5.4 mac-masquerade

1 Reply

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

Lightboard Lessons: Mac Masquerade

MAC Masquerade

Arabic Blackboard F5 series [LTM Idea] باللغة العربية

Virtual Server graphical App for F5 LTM

F5 LTM License