Forum Discussion
Steve_Burton_11
Nimbostratus
NimbostratusLTM Pass-Thru Security Concerns
We have a Viperion solution in place, and in reviewing the design, the 2400 chassis is deployed off the firewalls, and there is a TRUNK connected to another interface.
The trunk has several Vlan's for different applications and all servers can see each other bacause the interface the trunk is terminated on will route between them.
My question here is is this the normal setup? This seems to be a security flaw to me, and I wanted to get some feedback on this.
Is there any features in LTM that can secure this open/flat network on the F5?
I am not the hands on guy, but am reviewing the architecture.
On another similar note, one application load balances all three tiers and they now bacause of this configuration, can directly connect to each other, and they do not traverse the firewalls.
Your experiences would be helpful.
Cheers,
Steve
Ferg_104721Have a read of this articale, it depends on your design and code version
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_vlans.html
Consider, is the F5 the gateway for your VLAN? Do a netstat -r on the cli, this will show you the VLAN it is talking on, consider the routes configured if any.
have a read of Enabling source checking
Steve_Burton_11From what I can tell the feature I need to use is routing domains.
Can someone confirm that enabling this feature will provide the isolation I need to keep the different tiers isoplated from each other and force the systems to go through the firewalls to communicate, and not directly through the F5 unfiltered?