[prev in list] [next in list] [prev in thread] [next in thread] 

List:       loadbalancing-l
Subject:    RE: [load balancing] BigIP and firewalls
From:       "Chuck Adkins" <Chuck.Adkins () theice ! com>
Date:       2003-02-10 16:27:51
[Download RAW message or body]

The only thing that pops out to me is the management of the BIGIPs via
valid addresses.  If you are going to have a valid address listening to
443 and/or 22 - I would be careful.  There was a fairly recent spat of
both open_ssl and apache bugs found in the last couple of months (and
some exploit code specific to bsd if I remember correctly).  

That said - at a previous company we used our BIGIPs specifically as you
are indicating.  They acted not only as the LBs but also served as the
FWs.  I ran that setup for about 2.5 years and we never had any security
incidents.  It is notable that a colleague still at that company told me
that those BIGIPs were affected by the recent SQL Slammer.  Without the
FWs in front he wasn't able to filter out the SQL and they became
overwhelmed with traffic - however if the FW team wasn't quick enough
this would have happened even with a FW.  If you are able to have some
kind of private management network for the BIGIPs - I would say this is
a pretty good cost-effective implementation.

Chuck

-----Original Message-----
From: Chris Kirby [mailto:ckirby@solaristech.com] 
Sent: Friday, February 07, 2003 10:07 PM
To: lb-l@vegan.net
Subject: [load balancing] BigIP and firewalls


I would like to setup a DMZ with a pair of F5 BigIP HA+'s as packet
filters and using an IDS (Snort) to monitor both the public and DMZ
network in front and behind the load balancers. Is there much security
risk in using this kind of setup instead of having real firewalls in
place in front of the F5's? I am using an old version of BigIP
3.2.3PTF-01.

Just curious for some input.

Thanks,

Chris.

____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com

[prev in list] [next in list] [prev in thread] [next in thread]