BigIp LTM - Apache and Tomcat dmz

Simquest,

 

 

Ah, the age old question... Trust. Who to trust, can we trust it, will it break?

 

 

So my response, and I'm biased, is yes, you can trust the F5. But, there is always a configuration danger (typically misconfiguration, etc)

 

 

Does this look like the architecture you are thinking:

 

 

Wild internets !!!!!!! ----------> DMZ [ F5 LTM ] -----> LAN [ Database servers, apache webservers ]

 

 

If that is the case, I can 100% support this plan. Essentially, you are using the F5 as your firewall, as well as the Loadbalance and acceloration. The platform can for sure handle it.

 

 

Couple of things to consider:

 

- Make sure that all virtuatls that listen on the internet vlan are only for IP's,etc that you want exposed

 

- Are you going to use the LTM as a loadbalancer for the DB's? If so, make sure you've got the Virtual configured and listening on the apache webservers vlan. (if the apache servers are going to go straight to DB's, no need for that)

 

- Consider using some of the LTM service cloaking iRules for apache (https://devcentral.f5.com/tutorials/tech-tips/security-irules-101-engage-cloak)

 

 

All in all, I can say 100% that not only is it a good idea, but many many people run in the same/similar fashion.

 

 

-Josh

 

DC security