Reverse Proxy Functionality when WSS is used

Question

Hi,&nbsp;
As a part of our solutions proposal we are including F5 to be placed in the DMZ to act as a reverse proxy for the server residing in the customers internal network. Our server application Implementation includes HTTPS and WSS between client and the server. Here is the setup&nbsp;
Client--&gt;External Firewall--&gt;F5 Reverse Proxy--&gt;Internal Firewall--&gt;Server&nbsp;
Now, the customer has raised the concern that since WSS is being leveraged, F5 can only act as a LTM and not APM and would not provide a true reverse proxy functionality. This could exposes risk to the server application located inside the internal network to attacks.The LTM does not also provide true termination of the incoming HTTP requests.&nbsp;
Can you please let me know if leveraging WSS will enable F5 to be just a load balancer and does not provide true reverse proxy functionality? &nbsp;
Wouldn't F5 be able to terminate HTTP traffic and act as proxy on behalf of the client in our scenario? &nbsp;
Do you see any security risks with this option?&nbsp;
thanks&nbsp;

boneyard · Answer

WSS?

West Side Story?
Windows Storage Server?
Windows SharePoint Services?
Why So Serious?
WS-Security?

gvij_208206 · Answer

Web Socket Security.&nbsp;
Thanks &nbsp;

boneyard · Answer

i don't believe that APM (authentication) was ever a requirement for using the BIG-IP (or any system) as a reverse proxy. in principle a reverse proxy is nothing more then a device which request information from servers and services it to clients.&nbsp;
based on that i don't see why websockets are any different then other other tcp protocol.&nbsp;
in this sol it is stated you can even load balance it fine, showing the separation still exists:
http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14754.html&nbsp;

gvij_208206 · Answer

Followup question.&nbsp;
Since F5 would be placed in the customers DMZ network and acting as a proxy (HTTPS/WebSocket) between the Internet client and the Internal application server, are there any major security risks associated with WebSocket connection between Client and the Server?&nbsp;
The Internal application is built on JDK and if exploited via WebSocket connection, could allow the hacker to access the program flow and modify the code. This is the customer concern.&nbsp;
If there is any best practice documentation for F5 configuration to protect against this kind of WebSocket vulnerability, please let me know&nbsp;
Thank you  &nbsp;

boneyard · Answer

explain me the difference between this and users being able to influence the program flow and modify the code via "normal" HTTP POST and GET commands.&nbsp;
there isn't a difference between normal HTTP and WebSockets if you just use the BIG-IP as proxy. in both cases if you allow the users to send requests and handle those badly things can happen that you don't want. but that is how this works.&nbsp;

Forum Discussion

Reverse Proxy Functionality when WSS is used

7 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 Reverse Proxy setup

Troubleshooting Lync/Skype for Business Reverse Proxy

Setup a Reverse Proxy that redirects to internal port

F5 Cloud-Native Functions For Secure Ingress

F5 Cloud-Native Functions For Secure DNS