Forum Discussion
Attack signatures, security policies and NAT vs Virtual Servers
I'm new to the BIG IP system so forgive me if this seems rather simple.
We have a few public facing web servers we are bringing in to our DMZ (they are hosted elsewhere now). The traffic load to them isn't such that we require a pool of replicated servers and load balancing between them for each site. Really all that's needed in terms of traffic flow is just a one-to-one NAT for each one.
However, I'm confused because it seems from what I'm reading that you can only create and apply security policies (including attack signatures, etc) to specific servers in your network if you set up a Virtual Server that the web server is tied to.
Am I reading this correctly? Or am I misunderstanding how this works?
Thanks!
- Tzoori_Tamam_95Historic F5 Account
The main traffic-carrying element on a BIG-IP is a Virtual Server. The name may be a little misleading, as it simply a traffic listener, usually consisted of an IP and port, to which you attach all sorts of properties - like the real server(s) you wish to send traffic too, the SSL cert clients that access that virtual server will see, NAT rules, HTTP caching options and more, including a Web Application policy.
As you grow more familiar with BIG-IP concepts, all will be made very clear.
You should try http://university.f5.com for some the the "essentials" courses there (free of charge, and publicly accessible) - which will get you through all that.
Good luck!
- bsm1970NimbostratusI went through a couple of them and thought I had it, then found myself confused again. So basically to do anything you need to set up a virtual server? Even if you just have a handful of individual web sites/servers to point traffic to?
- Tzoori_Tamam_95Historic F5 AccountThat would be the easiest way to start manipulating incoming traffic, yes. Keep translating "Virtual Servers" to "Listeners" in your head until it makes sense :)
- bsm1970NimbostratusSo in my scenario, if I'm reading this correctly, since I don't need load balancing among a pool of redundant servers for each of these sites, I should set up a Forwarding (IP) Virtual Server for that purpose. Is that correct? Also, if you have a Virtual Server that is listening for external clients wishing to connect, where does NAT come into play? Isn't the IP of the Virtual Server essentially doing NAT in and of itself? Thanks for your patience in answer this stuff.
- bsm1970Nimbostratus
Bringing this out to the main level of the thread since I can't format carriage returns when responding to an answer.
Just as an update, I've been trying some things in the F5 to see how this might look. Even though it's just one node (let's say it's private IP is 10.10.10.2). I created a node with that IP address. Then I created a pool and added that node as a member. Since all the traffic to it will be HTTPS, I added https and https_443 as active health monitors. All other default settings were left intact.
Then I created a VS. This is where it gets tricky for me. I have it set up right now as a Standard VS with a network address that covers our entire subnet of web content servers (for example, 10.10.10.0/26). Service port is 443 (https). For SSL Profile I used serverssl. All other settings stayed at default.
So at this point I'm just trying to figure out how best to do this. Does that setup look like I'm on the right track? And if I'm going to have other single web servers in that same /26 subnet that are totally different sites, should make my VS just point directly to the node (destination address 10.10.10.2 in the above example) and create a new VS for each other web server, or perhaps have this one network address VS cover them all and just create different pools for the different web servers?
Forgive me for all the questions. I do need to get more formal training, but the time frame for this won't allow that right away.
- bsm1970NimbostratusI guess what I'm driving at is that setting up a VS for these servers seems like overkill when a simple one to one NAT would appear to get the job done. But if I can't apply any ASM stuff to it - protecting from vulnerabilities and using attack signatures, then that won't work. I'm just wondering what the best way to do this is since I don't have a bank of servers hosting the same content that need to be load balanced.
- bsm1970Nimbostratus
bump for any other responses?
- amjadb_4287NimbostratusHi bsm1970, you are supposed to NAT the public IP to VS IP address of F5 using your perimeter firewall either for each website or for all websites (in this latter case, irule should be in place to differentiate between different websites) The virtual server should be standard and has at least http profile, SSL offloading (for ASM policy), SNAT, Pool and finally an ASM policy
- bsm1970NimbostratusLet me see if I understand what you're saying. The public IP of the web server the external user wants to reach should be routed to the VS on the F5 by the perimeter firewall. I would probably set up a different VS for each website so we would do the same thing for all of the other sites we stand up. I think initially I won't have any ASM policy running. I just want to get traffic flowing initially then work toward adding ASM policy. So for that, where would SNAT come into play? Is that just to make sure the traffic is routed back through the F5? And would SNAT be necessary if the web server nodes have the F5 as their default gateway?
- bsm1970NimbostratusI think I've got my virtual servers set up properly. My question now is how NAT relates to all this. I have my public IP and my private internal IP for my web servers. I have a VS set up for each of them pointing to that private IP. How do I make it so that traffic coming in using the public IP address of a certain site hits the right VS? Do I put the public IP address of the web server in the Source Address field of the VS?
- bsm1970Nimbostratus
bump
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com