Forum Discussion

MW1's avatar
Icon for Cirrus rankCirrus
Nov 05, 2010

F5 LTM deployment best practise (security)



perhaps a little off topic but I was wondering if I could ask for general thoughts on the deployment of F5 LTM's in datacentre networks in particular to placement of the F5 and the backend webservers. In my company we have the traditional LAN, DMZ (& internet segments) & all of the network are bordered by the same HA pair of firewalls. Our rule on placement of servers is simply if it is to be made external (ie accessed from the internet) it is placed in the DMZ, if not it goes in the LAN. Currently the rule still applies to servers behind the F5 LTM's, so that servers that are load balanced by the F5 LTM go in the DMZ along with the virtual server IP hosted on the F5, however we are recieving requests from a handful of teams to allow them to place the actual servers in the LAN and keep the virtual server in the DMZ.



Our thoughts is while the inbound connection from the internet is proxied on the F5, the F5 is recreating the connection exactly the same and passing it on, therefore the backend machines are receiving the same requests form the internet with all the risks that carries. I should state we do not have a web application firewall or the ASM module to interrogate these requests & filter out malicious ones.



Is our reasoning sound or do we mis-understand the situation & the benefit the F5 LTM provides?




thanks for any thoughts







1 Reply

  • So you could load balance to a layer of web servers in the DMZ, then have the webservers initiate connections through the back-end firewall to an LTM within the LAN. Sending the connections as-is through the DMZ to internal network does carry risk as you pointed out. It really comes down to your security posture.