Forum Discussion

CarlT's avatar
CarlT
Icon for Altostratus rankAltostratus
Dec 12, 2019

Using F5 as a reverse proxy hosting internet accessible to hosts on inside.

Hi All

Can someone advise,

We have a requirement to host a web service on the internet, the F5 has an VIP to the internet, the server hosts sit on the inside of our network, these are routed via a VLAN straight off the F5, so this would be insecure in my eyes as normally internet accessible servers should be on the DMZ.

Would it be a secure method doing it this way if the F5 was configured as a full proxy? if so what would we need to make it secure?

Would we need ASM or other modules? OR would you always need the servers in a DMZ ?

Could you get it to route to the servers internally via the firewall and just add routes to the F5? to me I still cannot see how this would be secure unless the F5 is doing security checking?

 

 

The modules we are licenced for are below?

  • Local Traffic Manager, i2800(Perpetual)
  • APM, Limited
  • Max SSL, i2800
  • Max Compression, i2800
  • Anti-Virus Checks
  • Base Endpoint Security Checks
  • Firewall Checks
  • Network Access
  • Secure Virtual Keyboard
  • APM, Web Application
  • Machine Certificate Checks
  • Protected Workspace
  • Remote Desktop
  • App Tunnel

 

 

 

application delivery
BIG-IP
security

1 Reply

Sort By
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Dec 12, 2019

    Really this comes down to your/ your company's appetite for risk. I personally would say you should use the ASM to filter the traffic (ideally regardless these days even if the server is in the DMZ). If an attacker was able to exploit the backend server via a HTTP request and then get a shell on the server (via the inbound HTTP) then obviously they have access to everything the backend server has. Without restricting what the server has access to (i.e. by putting a firewall in between it and the internal network) there is an obvious risk, which you could use the ASM/WAF along with AV on the server as a compensating control to reduce said risk. Personally I would always try to insist on the backend server in the DMZ not only does the firewall restrict access but gives you a log so you can actually see what connections it is making (ideally with ASM/WAF and AV applied too).