For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kas21_201796's avatar
kas21_201796
Icon for Nimbostratus rankNimbostratus
May 12, 2015

Multihomed F5 bypassing Firewall

I am new to F5 and am helping replace/update our current configuration that we use for ActiveSync. Currently we have one F5 running APM that does authentication and SSL termination in the DMZ and a second F5 inside the network that provides NLB for our Exchange CAS servers.

 

The DMZ F5 is dual-homed. It has an interface in the DMZ and an interface on our inside network. From what I can tell (and from what I have read) this is allowing some traffic from the DMZ to our internal network to bypass the firewall. For example, when the F5 performs pre-authentication it talks to our internal AD via the inside interface and does not have to route through our firewall. I have not determined if the actual ActiveSync traffic behaves the same way or if it "sticks" the DMZ interface and therefore must route through the firewall.

 

Needless to say, this makes me nervous and I feel we should remove the internal interface from the DMZ F5 and force it to route through our firewall.

 

Is anyone able to confirm my understanding of how the F5 is routing traffic and if this is a concern or a best practice? If ActiveSync traffic is jumping from the DMZ to Internal interface on the F5 and bypassing the Firewall then I know for sure I want to fix it. I do not want traffic from the internet to bypass our perimeter defenses. What is less clear is if pre-authentication is a concern. I assume the pre-authentication request is initiated new from the F5 and is reasonable safe to allow it access directly to our internal AD.

 

design
security

1 Reply

  • Max_Q_factor's avatar
    Max_Q_factor
    Icon for Cirrocumulus rankCirrocumulus
    May 12, 2015

    By default the F5 initiate server side traffic based on the routes in the routing table (including local subnets).

     

    If you would like the F5 to have the traffic from the DMZ interface routed differently, may I suggest asking your sales engineer about vCMP, or looking into setting up a seperate route domain for the DMZ interface Manual Chapter: Working with Route Domains.

     

    vCMP is similar to creating virtual machines on F5 hardware, and route domains are similar to a single box MPLS layer 3 VPN (VRF in Cisco / Juniper terms) for layer 3 separation. Both options may take considerable time and effort to plan and implement, but if you require layer 3 or higher seperation this is where I would look first.