NimbostratusPerformance impact of VS access control
We have various virtual servers on our F5, where access is being controlled by differing means ... where I would like to cleanup in a certain direction, but wonder if there is a performance impact to be concerned with?
Currently, the 3 ways that access is limited for a given service are:
1. host based firewall on the pool members and using tcp-verified-accept in the virutal server
2. packet filter rule on the BigIP
3. iRule on the Virtual server, such as:
when HTTP_REQUEST {
if { ( [class match [IP::client_addr] equals INTERNAL_NETWORKS] ) } {
return
}
if { ( [class match [IP::client_addr] equals PERMITTED_OUTSIDE_IPS] ) } {
return
}
HTTP::respond 403 content {...}
}
or
when CLIENT_ACCEPTED {
if { ( [class match [IP::client_addr] equals INTERNAL_NETWORKS]) } {
if { ( [class match [IP::client_addr] equals GUEST_NETWORK] ) } {
drop
}
} else {
drop
}
}
Currently the most of the virtual servers are being limited through a packet filter rule (originally created using wizard), however adding to the rule and ensuring that it is up to date is difficult. Host based firewall used to be the only way we had limited access, but the use of SNATs and more recently one connect, makes that less effective. (use of tcp-verified-accept has only been recent, and mainly if I did the VS and I remembered. We went from where I primarily took on care of our F5, to as many as 4 people making changes....which has caused some interesting problems when we step on each other....like doing a config sync while a config sync is already running. Though I'm still the person for the more advanced features....the stuff we didn't support until I took it on....even though users want features of 11.x, and we're on 10.2.4....and EoSD has gone by for our platform. We had a meeting scheduled to talk about new F5, but it got canceled without explanation the day of and I haven't heard when we'll try again. Though we in the lull where we're way past the cut off for this FY purchases, and waiting to see what the final state budget for the coming FY will be.
Anyways, I was leaning towards changing everything to iRule based, because its more visible to all the other users on the F5 (went from 1 admin and 3 guest accounts and it being a blackbox that we told people what it did for them.... to 4 admins, 12 [and more to come] operators....and only 1 of the 3 guest accounts being used [since all the people using one guest account are now admins, and all the people using th eother are about to become operators, as soon as I find a quite moment to edit the config files to move all their virtual servers and pools into their partition]).
Though I doubt this will stop them from immediately blame the F5 for every outage that happens. Last year we had a major outage of a critical system, all the students had to pay tuition on the first day of classes. F5 kept marking servers down, but they said they could hit the backend server directly and eventually connect. Well, the F5 monitor is 5/16, taking over a minute after connect to get response is considered down. I changed the monitor, which they then immediately blamed for other problems and demanded it changed back which only made things worse.... Though later I did also notice that there seemed to be an excessive amount of SSL renegotions taking place. The big problem was later identified by oracle as a bug addressed by a missing patch....
This was the first time they made everybody pay by the first day, instead up to a couple weeks into the start....
Lawrence
