Forum Discussion

Mike_Sullivan_2's avatar
Icon for Nimbostratus rankNimbostratus
May 31, 2012

V11 as a firewall?

I would like to move things around in my DMZs and "publish" interfaces as virtual servers between tiers on LTMs (no ASM or PSM). I thought this would improve performance as the services needed by each tier would be published in the vlan where the clients live (otherwise the services have to route through a firewall).



I also thought that it would be pretty standard but when I proposed this to our QSA, the response was that F5 is not a SPI firewall. I guess it isn't a pure firewall play, and the QSA didn't feel comfortable with the design.



I went and talked to my F5 support engineer and he said that at V11, F5 was certified as a firewall by an independent lab: 0_Family_4 1xLab_Report_20120127.pdf



Has anyone had any experience with this? How did you convince your auditors that it's ok, or is it ok?



I'd be interested in hearing your thoughts.










7 Replies

  • Hi Mike,



    TMOS has always acted as a stateful firewall in that it's a default deny device. With the ICSA certification in v11, I don't see any reason you couldn't use TMOS for this scenario.



    I'm interested to hear what other users have to say on this.



  • Well, I thought this might be an interesting question for this group, but the lack of activity seems to indicate otherwise.



    @moderators: Should I post this somewhere else?





  • Mike,



    As you realize, the ICSA Network Firewall certification is pretty recent, and most QSAs are still not familiar with it. Curious if you have shown your QSA the ICSA Labs report and still had the same reaction?
  • Hi Michael,



    Yes it is recent. I did share that with the QSA and I could see the gears turning, but they still are hung up on it. It isn't over yet, I'm trying to get them to justify their opinion (I told them I can use a different icon in the diagram if that would help ;-) ).



  • @mike:



    That's a tough one. I spent hours at RSA repeating the same conversation over and over:



    attendee: "Hi, doing a firewall refresh, want to see about loadbalancing the new Firewalls with F5"


    Me: "Why the extra gear? the F5 is a firewall"


    attendee: "No you're not"


    Me: "Why"


    attendee:"umm, cause you're not"









    I took the approach of asking what constitutes a firewall in their mind, then taking that checklist and confirming the F5 v11 has all the functionality they listed.



    As for a new icon... sweet! Come up with a cool one and send it in :)!





  • Indeed after years of F5 doing a great marketing job on ADC market, is obviously hard for customers to understand that BIG-IP can provide layer 3 security by itself. Hope this year with the Application Delivery Firewall strategy that problem start to fade away.



    I always tell the costumers that they can save money and increase performance using f5 as firewalls as well but some of them are reluctant. Main reason: They don't know well F5 as we do, so , what a big challenge we have in the way.





  • You can find some interesting research/information on customer and market perceptions on this subject in this piece by George Notter (an equities researcher) at Jefferies & Co:



    As it hasn't already been mentioned also note that v11.3 brings Application Firewall Manager with it which should make the management and administration far, far easier and help to change the current view.