Forum Discussion

fahimfarookme's avatar
fahimfarookme
Icon for Nimbostratus rankNimbostratus
Apr 28, 2024

Enterprise Security best practices with F5 WAF

When it comes to responsibilities of each layer in an enterprise (i.e. DMZ/ WAF, application, SoR etc), and provided F5 Advanced WAF is deployed on the DMZ, should other layers assume primary respons...
security
waf
zamroni777's avatar
zamroni777
Icon for Nacreous rankNacreous

if all user access to the app goes through bot defense in dmz f5 awaf, then no need to put the filter again in server zone.


in my personal opinion, bigip/waf is application-layer oriented device, not network layer oriented device.
it behaves more like application servers, so it's more properly installed in the server zone.

and btw, bigip device supports vlan, vxlan, and vrf-like segmented routing via route domain features.
so actually 1 device can covers all zones if you set proper vlan/vxlan/vrf configurations.
some people might "persuade" buyers to buy separate devices for each zone though 🙂

 

fahimfarookme's avatar
fahimfarookme
Icon for Nimbostratus rankNimbostratus
Apr 29, 2024

Thanks for your response.

In our case F5 WAF is in the DMZ and the applications are in the private subnets behind DMZ.