For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Jan 19, 2017

Management routes accessible from TMM? Are we crossing the streams?

The separation of device management and data has always been a core architectural component of TMOS, however as of v12.x, HSL will be able to access syslog servers which are only accessible via the management (mgmt) interface.

 

Is the ability of a mgmt reachable device via a TMM pool, only for pools assigned to HSL publishers, or this now a general ability to place mgmt-only accessible devices within reach of the data plane? Are there any other implications of this?

 

application delivery
LTM
security

3 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jan 19, 2017

    Ew. Sounds like a generally bad idea to use unless using a license limited by throughput and you're really desperate to save those bytes.

     

    /Patrik

     

  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Jan 19, 2017

    Oh yes, I agree. I don't think F5 think it's a very good idea either - I feel they were pressured by those who just 'like' to keep syslog on the management interface, however I'm concerned that by doing this they have changed a fundamental construct of TMOS and (potentially) removed a security control.

     

    Interested to see what others think.

     

  • jgranieri's avatar
    jgranieri
    Icon for Nimbostratus rankNimbostratus
    Jan 19, 2017

    well if security is your concern i would recommend creating route domain and placing the HSL server pool there. I believe this will isolate this traffic and should provide some protection in the sense of routing. you would need specific data-plane interfaces to be assigned into the route domain to isolate it from the other traffic.