Forum Discussion

Nimbostratus

Mar 19, 2021

F5 and the way forward

Hello, I have the following test server configuration .. 1) a third party bespoke application that allows https to be setup within that application. the application has its own maintena...

big-ip

security

phillip-Newbie

Nimbostratus

Mar 20, 2021

Morning Alex,

First of all thank you for responding to my question.

I totally agree with what you are saying and normally I would suggest this,

but consider that a group of developers could deliver to that environment several fix's, lets say "performance fixes together with bug fixes" and something goes wrong and its time critical. For that environment to be locked down then the "sprint" would have come and gone before the issue could be diagnosed.

I opened the thread for a general discussion to ...

1) improve my thinking around this subject area

2) to look at options that I might have missed.

3) I want an option of flexibility that will allow developers to diagnose an issue before it gets production when either myself or the testers flag issues with the code drop.

4) You can never stop learning and someone out there is better than myself for sure.

At no point do I say that you are wrong as you are correct!

I am looking for a flexible approach that I could trouble shoot when required. I have no doubt that this last comment will open up a debate for sure :-)

AlexS_yb
Cirrocumulus
Mar 20, 2021
Note - I'm a F5 newbie. but :) the approach I would take - and trying to keep it simple. KISS
is move SSL to the F5 make every one connect via here. if you have multipaths it just causing pain.

You want a break fix solution, put in a policy , irule, or ??? something that gives the devs emergency access if needed, straight through rule, that is only ip based or some limiting factor.

if the problem is the app being behind a reverse proxy .. well that will need some testing before hand.

But ... I don't know your environment so ... there might be other mitigating factors
- phillip-Newbie
  Nimbostratus
  Mar 22, 2021
  Afternoon Alex,
  
  First of all thanks for responding again !
  
  I have been looking at various F5 documents and came to the conclusion that if I was to implement a "Full SSL Proxy / SSL Re-Encryption /" solution with apache ModSecurity then this would give me a load balancer using SSL and a WAF behind the load balancer to filter out attacks.
  I came to the conclusion that SSL up to the apache reverse proxy server would be in force. The documentation says that ModSecurity would remove the SSL after apache modsecurity has examined the https request.
  Surely, modsecurity would be sufficient to filter out attacks? Freeware Hmmmm !!!
  
  Then I might be completely wrong and I have missed something obvious, and there could be a better solution out there?
  
  I did go down the path of moving SSL to F5 only (SSL offloading) but then including the WAF after the LB to provide additional security was a cause for concern as this should be SSL encrypted communication.
  
  Locking down ports and implementing access control was then my next thought.
  
  The post was to see what a wider audience could suggest but there appears to be very few people who want to discuss this area?
  
  Thanks for responding Alex !
  
  Documents read
  https://www.f5.com/company/blog/where-does-a-waf-fit-in-the-data-path
  https://support.f5.com/csp/article/K65271370
  https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch01-introduction.html
- AlexS_yb
  Cirrocumulus
  Mar 22, 2021
  Sounds all good, along the same path.
  Moving from nginx to F5... learning curve for me to