Forum Discussion

SAM_81082's avatar
SAM_81082
Icon for Nimbostratus rankNimbostratus
Jul 27, 2012

F5-3600 Application Security Module Design

Hi all F5 experts ,

 

 

1) We want to use F5 load balancer to comply with PCI standards.We have to use only Application security module feauture for some of the criticial server in DMZ segment.

 

 

Need your valuable suggesion on below points

 

a) Do we need to configure LB in Inline Mode or One arm condition

 

b) If we use in Inline mode then LB will be default gateway for all DMZ server though some of the server does requires ASM feature.

 

c) Is it possible in LB to inspect only limited server IP address while exclude rest other IP's from DMZ segments.

 

 

Traffic Flow

 

------------------------------------------------------------------------------------------------------

 

Firewall ----> Proposed Load Balancer ( Application security Module) ---> DMZ Server

 

-----------------------------------------------------------------------------------------------------

 

 

Please suggest which method we can use for this setup.

 

 

Regards

 

TIA

 

 

SAM

 

config
design

1 Reply

Sort By
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 01, 2012
    Hi Sam,

     

     

    a) Do we need to configure LB in Inline Mode or One arm condition

     

     

    If your primary goal is security, I suggest deploying ASM so that clients cannot directly access the servers. This can be done using router/firewall ACLs in a one armed architecture or happens by default using an inline deployment.

     

     

    b) If we use in Inline mode then LB will be default gateway for all DMZ server though some of the server does requires ASM feature.

     

     

    The DMZ servers could have another device set as their default gateway. If you do that, you'd probably need to use SNAT to have ASM translate the serverside source address to its self IP address. This ensures symmetric routing of traffic which is necessary so ASM parses the responses from the servers.

     

     

    c) Is it possible in LB to inspect only limited server IP address while exclude rest other IP's from DMZ segments.

     

     

    You can selectively enable ASM on a virtual server using a simple iRule and data group. See these articles for details. The first page's second example shows this:

     

     

    https://devcentral.f5.com/wiki/iRules.asm__disable.ashx

     

    https://devcentral.f5.com/wiki/iRules.class.ashx

     

     

    Aaron