Forum Discussion

coreyva's avatar
coreyva
Icon for Nimbostratus rankNimbostratus
Oct 22, 2012

GTM Deploy outside of firewall, DNSSEC concern

 

We are implementing two 3900s configured as GTMs. With all of the groups involved, it's been difficult to get everyone in agreement on the best strategy. We wish to leverage DNS Express and having them become SOA for all of our domains rather than using them as one arm systems. The latest plan has the GTMs installed outside of our perimeter firewalls to reduce the DNS traffic increase from the shortened TTLs on our WIPs. Not wise in my opinion. The DNS team is concerned with having the DNSSEC keys installed on the GTM. They have this concern regardless of whether the GTM is in front or behind the firewalls.

 

Since these are 3900s there is no FIPS. Secure Vault http://www.f5.com/pdf/white-papers/...ity-wp.pdf looks as though it would only protect the keys if someone had physical access to the drives and if we were using passphrases. DNSSEC does not use passphrases. The concern is if the GTM was compromised, an attacker could obtain the keys. I'm trying to determine whether this is truly a risk or paranoia. The GTMs would only allow access on port 53 external and would use a secondary network interface for management.

 

So my questions are as follows.

 

1. Are the keys at risk?

 

2. Have there been vulnerabilities in the past allowing an attacker access to the GTM?

 

3. Are others running the GTM with their DNSSEC keys on them?

 

 

Thanks.

 

config
design

1 Reply

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 22, 2012
    I'm not too familiar with GTM so forgive me for speaking with no authority, however, you'd have the same issue with LTM and SSL certificates, whether it's outside the firewall or inside. Obviously, most people would prefer inside to outside from a design and security standpoint. Secure Vault would protect keys if the hard drives were removed from the system, not while they are in it. Of course, TMOS is pretty secure in general where ICMP, DDoS mitigation, ARP protection etc. are concerned and you've got packet filters, VLAN source checking, SSL and GUI IP restrictions, an out of band management interface, port lockdown and more on your side. You could also consider appliance mode. Regardless, I wouldn't do it unless I had to and only then if the whole company signed a disclaimer.