Forum Discussion

Kai_M__48813's avatar
Kai_M__48813
Icon for Cirrus rankCirrus
Mar 22, 2018

Challenges with limiting traffic

hi,

 

im currently working on a remote access solution for a customer. The basics have been set up and works(apm and vpn), but im now struggling with trying to narrow down the access for remote users.

 

Remote users should only be allowed to access ip addresses ending with a specific number, as a means to limit access beyond the applications they service. In addition, remote users should only be given access to resources they should, and not be able to access ip addresses they dont work on.

 

Are there any ways to implement such a solution through apm? I have looked at ACL, but static will probably be to manual for the customer, and i havent worked with dynamic ACL's before, so not sure how to set this up properly.

 

As a test, would it be possible to create a static ACL, or some other form of check, that will allow users access to the correct ip address, if the last octet matches?

 

acl
APM
application delivery
BIG-IP
remote access
security
vpe

2 Replies

Sort By
  • Kai_M__48813's avatar
    Kai_M__48813
    Icon for Cirrus rankCirrus
    Apr 03, 2018

    would it possible to insert a wildcard in an ACL? The last octet of the ip address remote vendors need to access is the same in every location, so if it is possible to do a check on this, i think this would be a step in the right direction. anyone have any experience with this?

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 03, 2018

    Hello Kai M,

     

    in general when I have to manage this kind of use case, I make sure to manage the access directly on the FW. let me explain;

     

    if your F5 equipment is VPN or perimeter security, I guess you put it in a DMZ. So all user access must pass through the FW.

     

    So access management will do it in a simple way: you can give an specific IP for each User... Or a specific range for a specific OU for example...

     

    you only have to manage your access on the FW.

     

    Advantage:

     

    -> independent access management of F5 (we can add additional resources to a user regardless of the F5 owner)

     

    -> Visual management of the rules of access and possibility to control the tracker in case of blocking ...

     

    And I would say a much simpler management ...

     

    regards