F5-3600 Application Security Module Design

Hi Sam,

 

 

a) Do we need to configure LB in Inline Mode or One arm condition

 

 

If your primary goal is security, I suggest deploying ASM so that clients cannot directly access the servers. This can be done using router/firewall ACLs in a one armed architecture or happens by default using an inline deployment.

 

 

b) If we use in Inline mode then LB will be default gateway for all DMZ server though some of the server does requires ASM feature.

 

 

The DMZ servers could have another device set as their default gateway. If you do that, you'd probably need to use SNAT to have ASM translate the serverside source address to its self IP address. This ensures symmetric routing of traffic which is necessary so ASM parses the responses from the servers.

 

 

c) Is it possible in LB to inspect only limited server IP address while exclude rest other IP's from DMZ segments.

 

 

You can selectively enable ASM on a virtual server using a simple iRule and data group. See these articles for details. The first page's second example shows this:

 

 

https://devcentral.f5.com/wiki/iRules.asm__disable.ashx

 

https://devcentral.f5.com/wiki/iRules.class.ashx

 

 

Aaron