Michael_Skreeno
Employee
EmployeeGood article! I like the way you start with high level open ended questions and drill down to each function of the environment. Clearly breaking down the way each tier of components will interact and considering the total possible attack surface is key when defending an environment.
One of the fastest ways I know of to get the results with one HA pair of devices is to configure it with Local Traffic Manager (LTM) and Application Security Manager (ASM). With BIG-IP's default deny behavior you can limit all of your layer 3 and 4 attack surface to the appropriate virtual servers and ports. With the application level awareness of BIG-IP you can parse and perform the deep packet inspection needed.
With LTM's features alone you can start to ensure traffic constrains to expected patterns. With the HTTP profile you can limit HTTP request header size, header count, encrypt session cookies, and more. iRules are also another powerful tool for mitigation of risk since you can build white and blacklists of IPs, URIs, and a number of other things.
Add ASM into the mix and you can really raise the bar. ASM has the ability to build a policy which includes both positive and negative security models plus the anomaly detection for your DDoS attacks. Policies can be built automatically or manually with a variety of templates. The policy configuration can be very broad or very specific based on the desired risk mitigation. ASM also integrates with a variety of vulnerability assessment tool output that you can use to create AND further build a policy.
Nice job staying grounded in reality with security since with any configuration there will be the "With X number of hours, we can achieve Y level of risk" or risk mitigation (negative or positive security :) ).
Keep up the good work!