mike_55639
Jul 21, 2008Nimbostratus
Hardening
Are there any documents available on system hardening for the bigip? Does anyone have any experience in this area?
Thanks in advance.
-m
Thanks in advance.
-m
http://www.linuxsecurity.com/docs/PDF/Securing-Optimizing-Linux-RH-Edition-1_3.pdf Click here
If the system has a few layers of protection in front of it, I'd recommend against tweaking in this way, as most changes will not survive a hotfix or an upgrade.
Aaron
Posted By hoolio on 07/21/2008 10:06 AM
It would be ideal if F5 would publish a solution or guide to hardening LTM. A few of our enterprise customers have come up with their own methodologies and best practices, but they consider this proprietary information.
It would indeed be helpful if such documents existed.
Thanks,
-m
Thanks,
-m
Aaron
Thanks
mdo
I think the same advice applies: you could contact your F5 account rep or F5 Support and ask them to provide hardening advice. This might also make a good request for the documentation forum:
Documentation Requests and Suggestions
http://devcentral.f5.com/Default.aspx?tabid=53&view=topics&forumid=2064
Aaron
Changing system settings at this level is generally a Bad Idea, as it'll potentially break stuff. The best bet is to keep the management network segmented, trusted and secured, and optionally to allow only certain systems CLI or GUI access. As far as the control plane goes - your virtual servers - they're very secure, at least from the BigIP perspective.
10.1 has incorporated SE Linux, so I expect this will be come less and less of an issue on subsequent releases.
-Matt
Changing system settings at this level is generally a Bad Idea, as it'll potentially break stuff.
That's the point of a best practices guide, isn't it? I understand your position, it just won't hold water in all environments. All systems in some locations require hardening or they are not certified to be placed on the network. Period.
Version-specific hardening scripts would be handy...any takers? Clearly these will need to be run after hotfixes/upgrades as the changes they enforce are blow away.
My $.02, anyway.