Forum Discussion

mpete32_168869's avatar
mpete32_168869
Icon for Cirrus rankCirrus
Oct 28, 2014
Solved

Routing of DMZ F5 traffic to internal F5 traffic

I have a design / functionality question. I have a DMZ server that I'll be bringing into our internal network but will be fronting it will the F5 appliance in our DMZ. The question I has is two fold...
application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
security
  • mimlo_61970's avatar
    mimlo_61970
    Oct 28, 2014

    I wouldn't consider it best practice, but people have their own opinions. Ask yourself this, would you open a rule up from the Internet direct to an internal server? If not, what protection do you think the F5 is adding to this connection to make your scenario better? Assuming you are just talking about LTM, it is working as a proxy and terminating the connection, but for the most part it will pass all application traffic, including application attacks/exploits, right through to your internal server.

     

    As far as routing and firewall rules, that is configuration dependent, but I don't think you can just create a rule allowing DMZ F5 to talk to internal F5. Your traffic will go through the external F5 and have some source IP(defined by if SNAT is enabled, what snat pool you use, or automap) to a destination of the internal virtual server. I imagine you will need a separate rule for each VS you want to work this way.

     

mimlo_61970's avatar
mimlo_61970
Icon for Cumulonimbus rankCumulonimbus
Oct 28, 2014

I wouldn't consider it best practice, but people have their own opinions. Ask yourself this, would you open a rule up from the Internet direct to an internal server? If not, what protection do you think the F5 is adding to this connection to make your scenario better? Assuming you are just talking about LTM, it is working as a proxy and terminating the connection, but for the most part it will pass all application traffic, including application attacks/exploits, right through to your internal server.

 

As far as routing and firewall rules, that is configuration dependent, but I don't think you can just create a rule allowing DMZ F5 to talk to internal F5. Your traffic will go through the external F5 and have some source IP(defined by if SNAT is enabled, what snat pool you use, or automap) to a destination of the internal virtual server. I imagine you will need a separate rule for each VS you want to work this way.

 

  • mpete32_168869's avatar
    mpete32_168869
    Icon for Cirrus rankCirrus
    Dec 12, 2014
    That's technically what we're attempting to do is to use the DMZ F5 as a proxy eliminating having to place any servers in the DMZ.
  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Dec 12, 2014
    I wouldn't advise it. Take SCHANNEL attack for example. No one ever really said if F5 stopped it, but I would assume if it did they would have been shouting from the rooftops that they could solve the problem. So now you have an exploit that goes right through your F5 and onto the backend server, executing an arbitrary command on a server on your internal network.