For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jose_Santiago_O's avatar
Jose_Santiago_O
Icon for Nimbostratus rankNimbostratus
Jul 10, 2007

OneConnect and IP access.

Hi,

 

I'm considering enabling OneConnect in my site, my site is private (you have to provide a user and password to access to more information), but we have configured in my web servers, several ip/mask that can navigate freely in the whole site without asking for user/password.

 

 

I'm reading that with 0.0.0.0 mask, the web server will log only the original IP address, my question is: If one person from one of my allowed hosts enters and then this connection is re-used from another person on another ip (un-restricited) Will this person have free access to my whole site?

 

 

In my web-servers I am using an isapi to catch the ip address on every request. In my virtual server I have also source-address persistence.

 

 

Regards,

 

Jose Oyervides.
config
design

1 Reply

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jul 11, 2007
    Hi Jose -

     

     

    If your servers are conditioning access on the actual L3 address header and not the X-Forwarded-For header value, then yes, your security scheme would be subverted if you apply the default OneConnect profile.

     

     

    You can still take advantage of OneConnect and still prevent sharing the serverside connection (and apparent source address) with users from other addresses. Just apply a custom OneConnect profile with a host mask (255.255.255.255) or a subnet mask as small as your smallest subnet. That will limit sharing of connections to only those who match the original request IP/subnet.

     

     

    (LTM persistence is based on the original clientside source IP, so that won't cause any problems.)

     

     

    HTH

     

    /deb