Hardening

I'd start with a Red Hat hardening guide:

 

 

http://www.linuxsecurity.com/docs/PDF/Securing-Optimizing-Linux-RH-Edition-1_3.pdf Click here

 

 

If the system has a few layers of protection in front of it, I'd recommend against tweaking in this way, as most changes will not survive a hotfix or an upgrade.

It would be ideal if F5 would publish a solution or guide to hardening LTM. A few of our enterprise customers have come up with their own methodologies and best practices, but they consider this proprietary information.

 

 

Aaron

Yeah, I would offer up my previous work in this space, but it isn't mine to give unfortunately.

I certainly understand not wanting to release proprietary information.

 

 

Posted By hoolio on 07/21/2008 10:06 AM

 

 

It would be ideal if F5 would publish a solution or guide to hardening LTM. A few of our enterprise customers have come up with their own methodologies and best practices, but they consider this proprietary information.

 

 

 

 

 

It would indeed be helpful if such documents existed.

 

 

Thanks,

 

 

-m

 

 

Been about a year and I'm wondering if perhaps any sort of documentation exists along these lines now?

 

 

Thanks,

 

 

-m

You might try contacting your F5 account rep and ask them if they have any documents on hardening. If not, you could ask them to escalate the request.

 

 

Aaron

Is there any further info about this topic now?

 

 

Thanks

 

mdo

 

 

 

 

Hi mdo,

 

 

I think the same advice applies: you could contact your F5 account rep or F5 Support and ask them to provide hardening advice. This might also make a good request for the documentation forum:

 

 

Documentation Requests and Suggestions

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topics&forumid=2064

 

 

Aaron

Here are my two cents: I think of BigIP as having two very discrete systems: the control plane and the management plane. When most people talk about hardening, they're talking about hardening the mangement plane (that is, access via the management interface, CLI, etc.).

 

 

Changing system settings at this level is generally a Bad Idea, as it'll potentially break stuff. The best bet is to keep the management network segmented, trusted and secured, and optionally to allow only certain systems CLI or GUI access. As far as the control plane goes - your virtual servers - they're very secure, at least from the BigIP perspective.

 

 

10.1 has incorporated SE Linux, so I expect this will be come less and less of an issue on subsequent releases.

 

 

-Matt

Changing system settings at this level is generally a Bad Idea, as it'll potentially break stuff.

 

 

 

That's the point of a best practices guide, isn't it? I understand your position, it just won't hold water in all environments. All systems in some locations require hardening or they are not certified to be placed on the network. Period.

 

 

Version-specific hardening scripts would be handy...any takers? Clearly these will need to be run after hotfixes/upgrades as the changes they enforce are blow away.

 

 

My $.02, anyway.