NimbostratusHi,
Is it a good practice to configure Puplic IP on external VIP on LTM or should we do a NAT on a network Firewall that translate Public into Private and then configure Private IP address on the external VIP, this way we won't expose VIPs directly over internet?
thanks,
EmployeeThat depends entirely on your local security strategy and policies. A properly configured BIG-IP system has a number of security features (e.g., it exercises a default-deny policy for traffic not matching any self-IP or Virtual IP). Per-application security can be improved by employing AFM and/or ASM features:
https://f5.com/products/modules/advanced-firewall-manager
https://f5.com/products/modules/application-security-manager
NimbostratusHi Vernon,
Thanks for the reply, we are not using any security module on LTM like AFM or ASM, we have Juniper Firewalls in place to secure the network.
EmployeeIf I may add, AFM is a stateful firewall, very much like the Juniper firewall you're using now, and ASM is a Web Application Firewall so not something a typical (packet filtering) firewall would handle. Since you have a firewall you don't really need another one (AFM) - though you may at some point want to question which is better. And ASM is something you'd definitely want to consider too protect your web resources. But to your question, it is absolutely okay to use public addresses in a BIG-IP VIP. Even without AFM, as Vernon stated BIG-IP is a default-deny hardened security device and is ICSA certified (a firewall certification).
NimbostratusHI Kevin,
I understand the benefit of using ASM and AFM but due to budget limitation we cannot add those modules.
Is there a document that tells more about this default-deny feature of LTM? Well I search it myself meanwhile :)
Thanks for the answers guys,
EmployeeFor starters I'd review the following:
Manual: BIG-IP Data Center Firewall Configuration Guide
sol13254: Overview of BIG-IP ICSA Network Firewall Certification
Neither one of these require AFM or ASM.
NimbostratusHi Zubair,
As Vernon stated I will back his statement there is no such thing as best practice the best practice is the local security Strategy that the organization have for them selves. As far as the creating the VIP is considered on external it can be done.
Regards,
NimbostratusHello Zubair,
i also can backup the statement that destination NAT on a firewall is NO security feature in any way. If you are however planning to use the GTM in the future and use autodiscovery of the LTM's Virtual Servers, than you should consider using public IPs for the VS. Just as a hint, remember to enable VS only on the VLANs you want them actually listen for traffic. If you don't limit it, then the VS would be accessible on all VLANs by default.
Also it is true that the BIG-IP itself is a deny-all device and will reject all traffic that doesn't match listener objects such as a Virtual Server or a SNAT (Pool).
Best regards David
NimbostratusHi DFeike,
We are deploying GTM, but I have no plans to use autodiscovery.