Forum Discussion
Routing of DMZ F5 traffic to internal F5 traffic
- Oct 28, 2014
I wouldn't consider it best practice, but people have their own opinions. Ask yourself this, would you open a rule up from the Internet direct to an internal server? If not, what protection do you think the F5 is adding to this connection to make your scenario better? Assuming you are just talking about LTM, it is working as a proxy and terminating the connection, but for the most part it will pass all application traffic, including application attacks/exploits, right through to your internal server.
As far as routing and firewall rules, that is configuration dependent, but I don't think you can just create a rule allowing DMZ F5 to talk to internal F5. Your traffic will go through the external F5 and have some source IP(defined by if SNAT is enabled, what snat pool you use, or automap) to a destination of the internal virtual server. I imagine you will need a separate rule for each VS you want to work this way.
Some simple rules I like to (At least try to) follow.
- All inbound connectivity must terminate at the DMZ
- There is a change of protocol between DMZ and internal (i.e. Not just a simple proxy onwards).
- No data in the DMZ
- No accessing shared drives from DMZ back to internal
- No interactive inbound connectivity from DMZ to internal
- No interactive inbound connectivity from external to DMZ
- Obviously things that are DESIGNED to allow inbound interactive connectivity break some of these. e.g. RAS via APM. But that should be protected via STRONG authentication. e.g. two-factor like securID
- Accepting inbound files from users is dangerous. Quarantine & verify accordingly.
There's more of course...
H
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com