Forum Discussion

swjo_264656's avatar
swjo_264656
Icon for Cirrostratus rankCirrostratus
Aug 28, 2017

inquiry about BIGIP LTM`s security feature

Hi guys.

 

regarding security screening my client request below ACL on BIGIP.

 

below things are cisco ACL but I`m not good at cisco.

 

I need to implement below ACL on BIGIP.

 

1> Source IP ACL access-list ㅇㅇㅇ deny ip 127.0.0.0 0.255.255.255 any access-list ㅇㅇㅇ deny ip 224.0.0.0 31.255.255.255 any access-list ㅇㅇㅇ deny ip host 0.0.0.0 any access-list ㅇㅇㅇ permit ip any any

 

2> DDoS attack depense access-list ㅁㅁㅁ deny ip 0.0.0.0 0.255.255.255 any access-list ㅁㅁㅁ deny ip 127.0.0.0 0.255.255.255 any access-list ㅁㅁㅁ deny ip 169.254.0.0 0.0.255.255 any access-list ㅁㅁㅁ deny ip 192.0.2.0 0.0.0.255 any access-list ㅁㅁㅁ permit ip any any

 

The security features of the F5 LTM I know are:

 

  1. httpd and sshd allow -> only way to access bigip is using ssh or https

     

  2. port lock down -> set which procotol is allowed

     

  3. tm.maxrejectrate

     

  4. Virtual server`s standard type -> prevent syn flood

     

  5. hardware / software syncookie protection -> I know vaguely.

     

  6. packet filter -> I`m not good at this option

     

is there any more useful security feature, please let me know

 

and how does BIGIP defense IP spoofing and ICMP flooding?

 

When an attacker attacks a VIP or self ip, BIGIP will behave differently.

 

Do you know any more security feature, please let me know

 

thank you

 

  • packet filters are close to cisco ACLs, have a look at them and see if they do what you want.

     

    as for the security features there are a lot, it might be useful to talk with your local F5 team or F5 partner to go through everything.