Using ASM in a forward-http proxy scenario?

The short answer to Ido's question is: because I can :-)

 

 

In this particular setup I will use F5 devices which will also be loaded with the ASM-module (for other reasons) so I thought "hey, why not also inspect client-traffic?".

 

 

Of course there are other devices that deep inspect the traffic on the road (idp, antispyware, antivirus etc) but anything that doesnt bring (major) impact negatively on the performance and can (in total) bring a better hitrate regarding protecting the clients (but also protect rest of the world from the clients :-) is of interrest in my case.

 

 

Regarding the SSL question im thinking of SSL-terminate both in the F5 and in the application firewall which sit behind the forward-http proxies (from the F5 point of view). Not only in order to be able to use ASM on the flows but also to be able to use oneconnect for the SSL traffic (but this will be investigated further - some docs says oneconnect with /32-mask should work when SSL-termination is being used in F5, others says it doesnt).

 

 

The particular setup uses two vservers: VS_FORWARD-HTTP and VS_FORWARD-HTTPS along with a oneconnect profile set to /32-mask (so even if the client uses lets say 10 connections towards the VS_FORWARD-HTTPS ip the idea is that only a single tcp-session (per client) will reach the forward-http proxy which the traffic loadbalances to).

 

 

And since F5 is a FPGA platform (if we take VIPRION 2400 as example) I assume that the performance impact enabling ASM wont be that large compared to if one does this on a x86 based platform?

 

 

I also hope that F5 in future will expand the IDP capabilities so this test is simply if this can be done and how well it works (both in quality but also performance).