Forum Discussion

Preetham_73405's avatar
Preetham_73405
Icon for Nimbostratus rankNimbostratus
Dec 31, 2010

F5 behind a router instead of a firewall, are there any risks??

Most practices refer to installing a F5 LTM with ASM behind a firewall

 

 

 

 

 

 

 

Internet --> Router --> FireWall --> LTM with ASM --> Web Servers

 

 

 

ACL controlled by the Firewall

 

 

 

 

I want to know if it would be a safe practice if we remove the Firewall from the mix

 

 

 

 

 

Internet --> Router --> LTM with ASM --> Web Servers

 

 

 

ACL controlled by the Router

 

 

 

We think this arrangement would reduce some latency and improve performance, But i'm worried about security

 

 

 

Does LTM perform as well as FW in this case, what would be the pros and cons of this solution?

 

 

 

I believe in having the LTM behind the firewall but our Network team wants to do it the other way, which would be correct for the long run?

 

 

 

 

 

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    IMNSHO... Keep the firewall.

     

     

    The F5's are all about performance and acceleration. Not necessarily front-end security (Although you could get creative with packet filters etc). Whereas the firewalls are all about security first and foremost.

     

     

    Keep the firewalls, and remember...

     

     

    1. If performance is an issue, use dedicated firewalls for your important apps. FW software and which hardware you're using really make a big difference here...

     

    2. The network (Including firewalls) isn't usually the bottleneck (Unless you're doing hi-freq trading in which case your response times will be measured in ns...).

     

    3. Router ACL's are generally packet matching only. And seldom do deep packet inspection

     

    4. Where routers do do DPI, they're generally not very quick about it (They're optimised for ROUTING, not firewalling).

     

    5. If you log a lot on routers, they REALLY REALLY slow down A LOT. (Been there, done that. Got the scars).

     

     

     

    H

     

  • I've done both. By default, F5's are default deny devices and if setup properly, do a very good job of being secure. Add to that some well-written router ACLs, and you can certainly be "secure." Of course, there's some piece of mind by having firewalls in front of you and as Hamish said, LTMs are made for performance and acceleration, not necessarily for denying tons of traffic.

     

     

    I know of an extremely large site that decided they didn't want the latency firewalls induce and they've been fine with it.

     

     

    You also have to consider what you're trying to protect against. If you've got an e-commerce app behind your LTM then the firewall is likely needed since people aren't simply going to be port scanning you. On the other hand, if you're simply hosting a static site, I wouldn't worry much.
  • Thank you everyone for your replies, it was really helpful, we decided to go with the firewall in the mix, it made sense for us to have it based on our network architecture where we use applications with and without SSL acceleration.
  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus

    Just to make sure: These are not the most recent recommendations by F5. As there are many firewalls on the market, that cannot handle as much sessions as the BIG-IP is able to do (when the sizing of firewall and BIG-IP is almost the same), today F5 recommends to place the BIG-IP directly to the outside, so beside the firewall. In combination with the AFM module the BIG-IP does nearly the same job as the firewall would do (no NG-Firewall).

     

    In addition the most amount of traffic already is or will be in the future TLS. So also NG-Firewalls would have to terminate the TLS session. This doesn't make sense at all, because the firewalls I know do not have the capabilities in handling TLS traffic as the BIG-IP have - i.e. Cipher Suite Support, Protocol Support, Session Handling configuration, SNI and so on.

     

    I know this article is from 2011, but if there are people out there, asking Google questions like this, they might be leeded to the wrong direction, because of a very old recommendation.

     

    Greets, svs

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Yep. True. Very True.

     

    It has been over 4 years since I wrote the comments above. And the product has come a long way. To the point where IF you're using additional functionality such as AFM etc then there is a good argument for not having a separate firewall.

     

    I don't follow your argument about it being a follow on from there being more HTTPS. There's no additional requirement for the NG firewall to do the SSL offload. They didn't for TLS previously. Having more TLS doesn't make that any different. But could lend an argument that having a separate firewall is LESS required because it's doing nothing more than providing simple port based filtering...

     

    Old info on the internet is not a situation unique to BigIP though. I often search and find most comments amor the early 2000's... Heck, some of it I wrote... It's like a comment I saw from Jason the other day... Sometimes I find something I wrote a long time ago and think HTF did I work that out...

     

    H

     

  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus

    Great to hear that and great to see someone reacts on this article after so much time has passed. ;-)

     

    What I meant was, that there are much people terminating SSL/TLS connections on their NG firewalls for using features like IDS/IDP. I have much customers who are trying to intercept those connections inbound for "security" purposes. But using such features means to go without the SSL/TLS advantages of the BIG-IP.

     

    However, I'm pretty sure that even without AFM it's a pretty good idea to put the BIG-IP beside the firewall, because it's a default-deny device (w/o AFM) and in combination with ASM it does a better job for HTTP than every firewall I know. Of course there are much more technical reasons to do this than just this two surficial.

     

    Greets, svs

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Yep.

     

    To my mind, the products are slightly merging in functionality. With quite a large overlap now. However I also believe that the easier task is to add the glossy firewall features to an already established product like the BigIP rather than established firewalls adding all sorts of layer7 firewall, IDS/IPS SSL offload functionality to the firewall product... F5 have expertise in the hard part of interpreting the content. While the firewall vendors may not be as up-2-date on those features.

     

    AFM is really the management side of it. As you say, BigIP has been a deny-all by default 'firewall' for a long time now. And without good management a great product is destined to get ignored, mistreated, misunderstood... Hence my comment about if you have it...

     

    H