Forum Discussion
inquiry about BIGIP LTM`s security feature
Hi guys.
regarding security screening my client request below ACL on BIGIP.
below things are cisco ACL but I`m not good at cisco.
I need to implement below ACL on BIGIP.
1> Source IP ACL access-list ㅇㅇㅇ deny ip 127.0.0.0 0.255.255.255 any access-list ㅇㅇㅇ deny ip 224.0.0.0 31.255.255.255 any access-list ㅇㅇㅇ deny ip host 0.0.0.0 any access-list ㅇㅇㅇ permit ip any any
2> DDoS attack depense access-list ㅁㅁㅁ deny ip 0.0.0.0 0.255.255.255 any access-list ㅁㅁㅁ deny ip 127.0.0.0 0.255.255.255 any access-list ㅁㅁㅁ deny ip 169.254.0.0 0.0.255.255 any access-list ㅁㅁㅁ deny ip 192.0.2.0 0.0.0.255 any access-list ㅁㅁㅁ permit ip any any
The security features of the F5 LTM I know are:
-
httpd and sshd allow -> only way to access bigip is using ssh or https
-
port lock down -> set which procotol is allowed
-
tm.maxrejectrate
-
Virtual server`s standard type -> prevent syn flood
-
hardware / software syncookie protection -> I know vaguely.
-
packet filter -> I`m not good at this option
is there any more useful security feature, please let me know
and how does BIGIP defense IP spoofing and ICMP flooding?
When an attacker attacks a VIP or self ip, BIGIP will behave differently.
Do you know any more security feature, please let me know
thank you
packet filters are close to cisco ACLs, have a look at them and see if they do what you want.
as for the security features there are a lot, it might be useful to talk with your local F5 team or F5 partner to go through everything.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com