Forum Discussion
STTR_85331
Mar 31, 2011Nimbostratus
LTM DMZ Design Question
Greetings,
We have been running a pair of LTMs in production for several years in what I would consider "one-armed" mode in that the traffic flows as follows:
Internet<-->Firewall...
Joel_Moses
Mar 31, 2011Nimbostratus
If I were you, I'd consider putting both SMTP servers and DNS servers behind the F5; these protocols are quite load-balanceable. We tend to organize things into a "sandwich" DMZ stack:
internet -> firewall -> F5 -> servers <- firewall <- internal_net
The goal being that the servers in the DMZ area issue no traffic _towards_ the internal network that isn't specifically allowed, and receive only traffic _from_ the public internet that is specifically granted access. A "meets in the middle" approach, if you will. In this model, the default route of the internal servers is set to the F5 and a "weak route" is put on each server so it can find its way to only selected management hosts on the internal_net through the backend firewall and to other subnets off the backend firewall.
In addition, we typically organize the DMZ into "infrastructure stacks" based on the services they offer and the criticality they present. So:
internet -> firewall -> F5 -> web_servers <- firewall <- internal_net
-> F5 -> high_importance <-
-> F5 -> smtp_servers <-
-> F5 -> dns_servers <-
We typically have our database servers connected to another leg connected directly to the backside firewall; the goal there being that the databases that support our web_server stack are accessible only from the web server itself -- we don't put them directly in the DMZ server subnet itself, we pass it through the firewall for policy control and logging.
There are a ton of different ways to slice this; we've taken to putting a lot of things behind LTMs because we find that most Internet-available services are able to be loadbalanced to an excellent degree. We also have specific environmental requirements that require us to isolate services for better survivability... you may not have the same requirements.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects