F5 LTM deployment best practise (security)
perhaps a little off topic but I was wondering if I could ask for general thoughts on the deployment of F5 LTM's in datacentre networks in particular to placement of the F5 and the backend webservers. In my company we have the traditional LAN, DMZ (& internet segments) & all of the network are bordered by the same HA pair of firewalls. Our rule on placement of servers is simply if it is to be made external (ie accessed from the internet) it is placed in the DMZ, if not it goes in the LAN. Currently the rule still applies to servers behind the F5 LTM's, so that servers that are load balanced by the F5 LTM go in the DMZ along with the virtual server IP hosted on the F5, however we are recieving requests from a handful of teams to allow them to place the actual servers in the LAN and keep the virtual server in the DMZ.
Our thoughts is while the inbound connection from the internet is proxied on the F5, the F5 is recreating the connection exactly the same and passing it on, therefore the backend machines are receiving the same requests form the internet with all the risks that carries. I should state we do not have a web application firewall or the ASM module to interrogate these requests & filter out malicious ones.
Is our reasoning sound or do we mis-understand the situation & the benefit the F5 LTM provides?
thanks for any thoughts