Forum Discussion
Mike_Sullivan_2
Nimbostratus
NimbostratusV11 as a firewall?
I would like to move things around in my DMZs and "publish" interfaces as virtual servers between tiers on LTMs (no ASM or PSM). I thought this would improve performance as the services needed by each tier would be published in the vlan where the clients live (otherwise the services have to route through a firewall).
7 Replies
hoolioCirrostratus
Hi Mike,
TMOS has always acted as a stateful firewall in that it's a default deny device. With the ICSA certification in v11, I don't see any reason you couldn't use TMOS for this scenario.
I'm interested to hear what other users have to say on this.
Aaron
Mike_Sullivan_2Well, I thought this might be an interesting question for this group, but the lack of activity seems to indicate otherwise.
@moderators: Should I post this somewhere else?
Thanks,
Mike- Michael_Koyfma1
Cirrus
Mike,
As you realize, the ICSA Network Firewall certification is pretty recent, and most QSAs are still not familiar with it. Curious if you have shown your QSA the ICSA Labs report and still had the same reaction? - Mike_Sullivan_2Hi Michael,
Yes it is recent. I did share that with the QSA and I could see the gears turning, but they still are hung up on it. It isn't over yet, I'm trying to get them to justify their opinion (I told them I can use a different icon in the diagram if that would help ;-) ).
Mike 
jwham20@mike:
That's a tough one. I spent hours at RSA repeating the same conversation over and over:
attendee: "Hi, doing a firewall refresh, want to see about loadbalancing the new Firewalls with F5"
Me: "Why the extra gear? the F5 is a firewall"
attendee: "No you're not"
Me: "Why"
attendee:"umm, cause you're not"
.................
headdesk
------------------
I took the approach of asking what constitutes a firewall in their mind, then taking that checklist and confirming the F5 v11 has all the functionality they listed.
As for a new icon... sweet! Come up with a cool one and send it in :)!
-Josh
HHeredia_36237Indeed after years of F5 doing a great marketing job on ADC market, is obviously hard for customers to understand that BIG-IP can provide layer 3 security by itself. Hope this year with the Application Delivery Firewall strategy that problem start to fade away.
I always tell the costumers that they can save money and increase performance using f5 as firewalls as well but some of them are reluctant. Main reason: They don't know well F5 as we do, so , what a big challenge we have in the way.
Saludos.
HH- What_Lies_Bene1
You can find some interesting research/information on customer and market perceptions on this subject in this piece by George Notter (an equities researcher) at Jefferies & Co: https://javatar.bluematrix.com/docs...d55e73.pdf.
As it hasn't already been mentioned also note that v11.3 brings Application Firewall Manager with it which should make the management and administration far, far easier and help to change the current view.
