Forum Discussion
STTR_85331
Mar 31, 2011Nimbostratus
LTM DMZ Design Question
Greetings,
We have been running a pair of LTMs in production for several years in what I would consider "one-armed" mode in that the traffic flows as follows:
Internet<-->Firewalls<-->LTMs<-->Web Servers.
The LTM Virtual Servers use SNAT AutoMap and the web servers use an internal router as their default gateway. Incoming traffic from the internet passes the firewalls and LTMs and is returned out the same path as the web servers see it as originating from an IP on their local subnet (the F5 internal floating IP). Management traffic for the web servers passes over the internal router from other internal networks.
In addition to the web services (HTTP/HTTPS) provided by the above configuration we have now been asked to host STMP relays (inbound/outbound SMTP), DNS (might later be a GTM) and other services that I wouldn't immediately think of putting behind a load balancer.
I was originally planning on putting these new services in a separate DMZ which would exist as an interface on another firewall pair (a traditional 3-leg firewall design) but now I'm wondering if there are reasons that I should consider combining all these services into a centralized DMZ that provides both secure access to SMTP, DNS, etc as well as access to load balanced web farms for HTTP/HTTPS. I have a feeling that if I want to do this with SMTP and DNS outside the F5 but behind my firewall I'll need to move to an inline configuration so that I have a way to send management traffic to/from the DNS/SMTP servers assuming they are behind the DMZ firewall but outside the LTMs.
I'd be interested in others thoughts on best practices for such a configuration as well as where I can read further on my options. I've reviewed the F5 implementation manuals but they seem to only cover individual aspects of what I'm trying to achieve rather than a complete solution.
I'd also be interested in general thoughts on where to place services like SMTP, DNS, etc in an environment that includes F5 LTMs as my assumption to date has been that I would want these things in a DMZ but not behind my LTMs.
Thanks in advance for any tips or pointers to additional reading.
Cheers,
SJT.
11 Replies
Sort By
- Joel_MosesNimbostratusIf I were you, I'd consider putting both SMTP servers and DNS servers behind the F5; these protocols are quite load-balanceable. We tend to organize things into a "sandwich" DMZ stack:
internet -> firewall -> F5 -> servers <- firewall <- internal_net
internet -> firewall -> F5 -> web_servers <- firewall <- internal_net -> F5 -> high_importance <- -> F5 -> smtp_servers <- -> F5 -> dns_servers <-
- STTR_85331NimbostratusThanks Joel!
- HamishCirrocumulusMy 2p... I don't bother load balancing protocols that load-balance themselves. e.g. SMTP. HTTP always. ftp sometimes...
- Posted By Simon Thorpe on 03/31/2011 01:00 PM
- HamishCirrocumulus@Jason. I agree.. Some simple rules for internet facing apps that really really help to cut down on intrusions are always good.
- Joel_MosesNimbostratus@Simon: You got the meaning right on "weak routes". I'm not a huge fan of them either; they're a bit of a bear to administrate unless your server folks are really on top of their game. But they do provide one additional layer of protection against attacks that try to generate arbitrary traffic through vulnerable web components.
- STTR_85331Nimbostratus@Joel: In regards to having a public IP range outside your LTM and a private range behind it, I assume this means that on the internet facing firewall you are not doing address translation (NAT) but that you are effectively using the LTM for translations instead? If so is there a particular advantage to this vs. having your internet facing firewall do NAT and have private addresses in your DMZ both in front and behind the LTM? The latter is how we are currently configured, but I'd be interested to hear the pros/cons of doing it as you described.
- HamishCirrocumulusRegarding the public addressing the LTM. There's two main differences. Latency (No NAT should mean very very slightly less latency) - probably only discernable if you have a very heavily loaded firewall. And support. It's easier to trace things when you're trying to find a problem if there's fewer points of translation.
- HamishCirrocumulus@Joel... Why would you run your (Presumably equal) mail servers with different priorities? If they're truely equal, then you use the same priority in the MX records. Lower priority is only used when the higher doesn't respond. That's not load balancing. It's a backup MX... MX load balancing is performed via the RR DNS resolutions.
- Joel_MosesNimbostratus@Simon: Hamish has hit the nail on the head as to why the NAT boundary from public to private is good to put at the LTM. It saves the firewall from having to do a relatively expensive NAT and allows the policy to be instantly readable by the folks responsible for setting said policy without having to drill down into boatloads of NAT. Since the LTM is a very capable NAT device -- one of its core functions, in fact -- I'd rather it be performed there and save the CPU at the firewall for more advanced things.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects