Forum Discussion

Michaelyang's avatar
Michaelyang
Icon for Cirrostratus rankCirrostratus
Feb 06, 2023
Solved

If there is no firewall, the risk of problems

Hello,

My architecture is as follows
" Clients -> firewall -> F5 -> Server "

I would like to ask if it is risky to open all ports in the client->F5 VIP section of the firewall?
For example.
445 is a risky port
Client -> F5 VIP :445 firewall is open
But F5 does not have a virtual server with port 445
At this point, is the F5 VM itself or the target server at risk of being attacked?

Any help is appreciate.

  • Paulius's avatar
    Paulius
    Feb 06, 2023

    Michaelyang because the F5 is not configured to listen on 445 in the example you have provided you do not have a risk currently for the backend servers or the F5. The keyword here is currently, it is possible that in the future a vulnerability might exist that does leave your F5 or backend servers vulnerable to an attack and why you should only ever allow the ports you need through and not everything. What is the reasoning for allowing all ports through to the F5 virtual server? If the reasoning here is because someone doesn't want to go allow each port when you start to use it that is an extremely flawed and a huge security risk approach to managing a network. It's best to stick to best practices and not to encourage practices that put your network in a vulnerable security posture.

6 Replies

  • here are some best practices for hardening an F5:

    https://support.f5.com/csp/article/K53108777

    It is not a good idea to open all ports. Never.

    Open only ports that you use.
    Why do you use a firewall if you open all ports?

    Why do you open access to something that does not exist?

    If your F5 has no vip on port 445 then it will drop the session.

    Unless you have a forwarding VIP that does some routing. And it might get to the backend servers.

     

     

     

     

     

  • I can tell you that yes, it is risky to open all ports in the client->F5 VIP section of the firewall. By opening all ports, the firewall is allowing all traffic to pass through, increasing the risk of security vulnerabilities and potential attacks. Without a firewall, the network and connected devices are vulnerable to cyber attacks, hacking, viruses, malware, unauthorized access, data theft, and network disruption. This can result in damage to the system, loss of confidential information, and a decrease in productivity. A firewall acts as the first line of defense in protecting the network, making it essential for organizations to have a firewall in place. 

     

     

     

     

    • Michaelyang's avatar
      Michaelyang
      Icon for Cirrostratus rankCirrostratus

      Hi Michaeleasley,

      Thanks for your reply.

      Take the example I mentioned as an example.
      If F5 does not have port 445 of the virtual server, the BIG-IP system will not handle any network traffic on port 445 and should reject them.
      What could be the risk to F5 or the backend server?

      Any help is appreciate.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        Michaelyang because the F5 is not configured to listen on 445 in the example you have provided you do not have a risk currently for the backend servers or the F5. The keyword here is currently, it is possible that in the future a vulnerability might exist that does leave your F5 or backend servers vulnerable to an attack and why you should only ever allow the ports you need through and not everything. What is the reasoning for allowing all ports through to the F5 virtual server? If the reasoning here is because someone doesn't want to go allow each port when you start to use it that is an extremely flawed and a huge security risk approach to managing a network. It's best to stick to best practices and not to encourage practices that put your network in a vulnerable security posture.

  • Hi Michaelyang , 
    As long as you do not configure a Virtual server or a listner to listen for port 445  , F5 will reject all of these traffic destinated to this port , so that no further traffic should reach to Back end server because F5 will drop all of traffic require this port. 

    I am only curious about , do you perform a destination NAT on your firewall ? or not ? 

    Also the best practise to be in the safe side is to harden and restrict your Firewall policies , you should filter layer 4 connections by a firewall first , to prevent non beneficial traffic to reach to F5 , This my opinion.