Forum Discussion
NimbostratusF5 LTM DMZ Securtiy - One Arm or Route Domain
We currently have a LTM on our interna LAN to load balance 2 Exhange CAS servers and other internal intranet Web Application servers (the original requirement for the purchase of the F5 LTM.
We would now like to deploy load balancing for are soon to be deployed externally facing web front end.
We do not have the budget this year to deploy seperate load balancers, so I am considering one of 2 options:
1. Create another one Armed VLAN using spare ports on the LTM directly into our Firewall Web Server DMZ Zone, and a dedicated self IP in the DMZ VLAN to allow load balancing of the web servers.
Internet -> Firewall -> DMZ VLAN ------ (F5 One Armed VLAN) - LTM
| |
| |
-------------------------------------------------------- Internal VLAN
So the question is how secure is this - as this effectively means i the F5 is compromised they have access to the interal network that the F5 is also connected to.
2. Use a new Route Domain for the DMZ One armed VLAN to provide further isloation.
What are the pro and cons of either of the above and what is the recommended best practice in this scenario ?
Also I have read using route domains might have implications with our GTM which we also have deployed for split DNS functionality.
Any recommedations would be greatly appreciated
Thank You
1 Reply
- Kevin_Stewart
Employee
Why not use the F5 to route between the DMZ VLAN and the internal VLAN? That's actually a more common scenario than the one-arm config, and arguably the F5 is no more susceptible to compromise than your firewall.
