Hardening

Hi - there is a TMOS hardening guide (v2) available which my SE coughed up as soon as I asked. I'd upload it but I can't see how to upload to this discussion. The main points of it are below;-

 

 

- Use "Allow None" on all self-IP as a rule - only allow selected protocols on as as-needs basis.

 

- Use packet filters for self-IPs on which you have enabled any protocols.

 

- Disable unused services HOWEVER "It is F5’s considered opinion and recommendation that the security hardening detailed in this guide is sufficient to negate the need to remove non-required services. Note that if services are removed, they will need to be removed again following a software upgrade."

 

- You can use hosts.allow and hosts.deny for management interface

 

- Secure NTPD to work only as a client using ntp.conf

 

 

I did feel that there were a few contradictions in the document. At one point the following statement was made;-

 

 

.......it’s recommend that the management port is not used, access being gained only through the switch ports and the serial console.

 

 

then the very next page says;-

 

 

Set ‘allow none’ on all Self IPs and only administer the BIG-IP using the Management Port.

 

 

Oh well - it at least provides a reference point so that you can say that you have applied all the vendor recommendations.

 

 

J