Forum Discussion
STTR_85331
Mar 31, 2011Nimbostratus
LTM DMZ Design Question
Greetings,
We have been running a pair of LTMs in production for several years in what I would consider "one-armed" mode in that the traffic flows as follows:
Internet<-->Firewall...
@Jason. I agree.. Some simple rules for internet facing apps that really really help to cut down on intrusions are always good.
1. No inbound interactive connections
2. Any inbound connections need to land in a firewalled DMZ (i.e. user -- firewall -- ltm -- contentlayer (apache/weblogic) -- firewall -- business logic layer
3. Comms between DMZ and BLS (Business Logic Servers) shouldn't be simply proxied through. And should probably be a different protocol
4. No data in the DMZ
5. No filesharing from DMZ to internal networks (This one I've broken before. I have used kerberised NFSv4 and AFS clients on a DMZ accessing internal filesystems. But that was purely to pass statistical and log data back to the internal net).
You can add firewalls between the BLS and databases as well if you like and can afford the latency. If you can't, try & seggregate your databases that are accessed from other databases.
Internal and external DMZ firewalls CAN be the same unit (i.e. DMZ hangs off the side of your internet facing firewalls), but is a lot better (Safer and easier to prove the rules are correct) having separate hardware (Although again, I've been playing with VSX and virtual firewalls recently).
H
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects