Forum Discussion
Anthony_Vaz_547
Nimbostratus
NimbostratusIs this a bad idea...
Hi guys
Curious on your thoughts on this please?
We traditionally have a setup where we may have web application servers and database servers in our corporate network.
We would also have reverse proxy software applications sitting in our DMZ, using something like Oracle WebCache or Apache with mod_proxy on a WinTel server.
Often we would have fail over pair reverse proxies, and a BigIP LTM sitting infront of them.
I have suggested that we could actually save a lot of money and resource by eliminating the reverse proxy wintel servers and having the BigIP VIP performing the same function.
We can utilise network side scripting with iRules to ensure only the correct URI's are accessed, that sort of thing. And firewall wise, there is a front firewall between the BigIP and the Internet, and another between the BigIP and the internal application server.
I see no real reason to have the WinTel boxes.
We don't currently use ASM sadly, so relying on the protection given by the firewalls, the irules on the VIP itself (locks down URI's to only a given few, ensure no javascript in query strings etc etc). And obviously, hopefully the web applications are written well enough not to be too easy to cause problems.
But I admit to wondering if this is a little too maverick? Thoughts/slaps?
hoolioCirrostratus
Hi Anthony,
Without native character and path normalization functionality (or user-defined functions?) in iRules, I don't think it's a good idea to try to use iRules to perform HTTP security validation. It's quite simple to bypass most iRule URI validation with encoding/directory traversal attacks. See this post for details:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324
ASM can definitely provide good validation and protection. But I don't think iRules should be depended on for now for this scenario.
Aaron
Anthony_Vaz_547Thanks Aaron. Excellent point - appreciate the speedy feedback