For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

0_172524's avatar
0_172524
Icon for Nimbostratus rankNimbostratus
Oct 02, 2014

Is there any Document,best practices available on Hardening Guideloines/Security Beseline for F5 Loadbalancer

Is there any Document,best practices available on Hardening Guideloines/Security Beseline for F5 Loadbalancer

 

deployment
management
microsoft
sap
security

1 Reply

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 02, 2014

    In the first instance I'd suggest you work you way through this: http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13092.html.

     

    Here's a quick and dirty list of things I think about where the HMS is concerned (includes some of the above) - most of these would apply to any Linux system;

     

    • DDos settings (defaults are generally good) see here: https://f5.com/solutions/architectures/ddos-protection/ddos-exclusive
    • Management access and source IP restrictions, idle times, banners etc.
    • SSH ciphers for management access
    • SSL ciphers for management GUI access
    • User roles, admin partitions etc.
    • Audit logging
    • SNMP community and restrictions
    • NTP security
    • Local password policy
    • Disable root account (perhaps admin too)
    • Local and remote logging
    • Port Lockdown
    • Implement packet filters on the management interface (v11.3 onwards)

    And then for LTM;

     

    • Use OneConnect to minimise server impact
    • Use Deferred Accept
    • Disable Reset on Timeout
    • Consider SSL ciphers and settings carefully
    • Reduce idle timeouts if necessary
    • VLAN Source check
    • VLAN keyed connections
    • QoS/Rate Limiting/shaping
    • Use iRules to protect against basic attacks
    • Connection rate limits