Forum Discussion
STTR_85331
Mar 31, 2011Nimbostratus
LTM DMZ Design Question
Greetings,
We have been running a pair of LTMs in production for several years in what I would consider "one-armed" mode in that the traffic flows as follows:
Internet<-->Firewall...
Posted By Simon Thorpe on 03/31/2011 01:00 PM
Thanks Joel!
That's interesting to hear that you use the "sandwich DMZ" approach - I'd been reading about this in various places and hearing pros/cons so it's good to hear that you have a real-world example of this in production.
A few questions - by "weak routes" on the DMZ servers I assume you mean a host based route pointing to the internal networks via the internal FW since their default gateway is the F5? We have used this approach before but I was never 100% convinced that it was something I wanted to rely on. Could you send management traffic to/from the DMZ servers out of a separate interface on the LTMs instead or does that cause more problems that it solves?
Secondly, how are you separating your "infrastructure stacks"? Are they on different networks separated by ACLs, different LTMs, etc or did you just mean groups of virtual servers on the same LTM pair(s)?
I was also interested in your idea of having your database servers in essentially their own DMZ off the "inside" FW. In our case we really have only two classes of server - "web" which encompasses HTTP, Citrix, DNS & SMPT and "application" which includes our application and database servers (our "application layer"). All of these in some way support our customer facing applications and we don't have any "internal" resources present such as user workstations - these are all at separate sites. So in our case we would likely have all our "application" servers in the "internal_net" from your diagram.
If anyone else has similar examples of how they do this I'd love to hear them.
Cheers!
-Simon.
I've never been a fan of allowing servers in the DMZ to have any more than 1 interface (save a lights out backplane connection). All traffic, management or otherwise intended for the corporate lan heads directly to a non-external firewall (usually separating mgmt and data zones). For DMZ ADC deployments, all applications in a similar vertical security layer can run through the same HA pair, but once they are inside the firewall I typically split out mission/business critical apps on separate pairs. If I have more than one vertical security layer, sec policy usually demands physical separation and thus multiple pairs.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects