Hardening

Security is hard. And incovenient. I have no idea what percentage of folks always install the latest feature release, but I doubt it's too high, so most upgrading would be from existing version to another existing version that would have had time to be vetted. I agree that it's difficult, I just think it's a worthy cause. I smell an entrepreneural opportunity for someone. Surely there's a market for a reseller/partner to tackle this.

Hi - there is a TMOS hardening guide (v2) available which my SE coughed up as soon as I asked. I'd upload it but I can't see how to upload to this discussion. The main points of it are below;-

 

 

- Use "Allow None" on all self-IP as a rule - only allow selected protocols on as as-needs basis.

 

- Use packet filters for self-IPs on which you have enabled any protocols.

 

- Disable unused services HOWEVER "It is F5’s considered opinion and recommendation that the security hardening detailed in this guide is sufficient to negate the need to remove non-required services. Note that if services are removed, they will need to be removed again following a software upgrade."

 

- You can use hosts.allow and hosts.deny for management interface

 

- Secure NTPD to work only as a client using ntp.conf

 

 

I did feel that there were a few contradictions in the document. At one point the following statement was made;-

 

 

.......it’s recommend that the management port is not used, access being gained only through the switch ports and the serial console.

 

 

then the very next page says;-

 

 

Set ‘allow none’ on all Self IPs and only administer the BIG-IP using the Management Port.

 

 

Oh well - it at least provides a reference point so that you can say that you have applied all the vendor recommendations.

 

 

J

Regarding this:

 

 

"it’s recommend that the management port is not used, access being gained only through the switch ports and the serial console. "

 

 

The reason some people suggest this is that you cannot restrict access to ports on the management interface. However, there should be a firewall between hosts on the management subnet and any untrusted network or hosts. So I don't think this is a valid recommendation. And the major advantage of having the management interface available for admin access is that it will still work if TMM doesn't start. The switch ports will not work if TMM does not start--like if the config doesn't load or the license is invalid.

 

 

So I always recommend having the management port available and protected by an external firewall.

 

 

Aaron

This F5 link would help towards hardening - Securing access to the BIG-IP system

 

http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13092.html