RE: [fw-wiz] Arch questions
From: Paul Melson (pmelson_at_gmail.com)
To: "'Mike LeBlanc'" <email@example.com>, <firstname.lastname@example.org> Date: Fri, 12 Aug 2005 10:35:46 -0400
> Subject: [fw-wiz] Arch questions
> I am currently planning a move (bring an oursourced hosting overseas to
the US). The
> basics are as follows
> inet rtr -->segment-->fw--->BIG IP--->IPS---->web
> The questions I have are:
> 1/ Someone has recently mentioned the idea of using private adressing
bewteen the inet > rtr and the firewall, with public adressing on the web.
What are the pros and cons?
Did that person mention the specific benefit of using RFC1918 addresses
outside the firewall? Was that person wearing a Cisco shirt? :)
Seriously, the pro is that it makes this network, at least in theory and
common practice, unroutable to the wider Internet. Your firewall's external
interface can't be easily portscanned, etc. The con is that you're
hardening your network by breaking it. I don't see an advantage to doing
this over using access-lists on the border router to prevent this same type
of traffic. And the thing about access-lists is that you can create
exceptions without having to readdress things or mess with routing. It's
also easier to troubleshoot.
> 2/ I was under the impression that we used NAT to "hide" the webserver for
> (obsfucation) as well as the fw rules to protect it. Comments?
NAT is *not* an access control mechanism.
There are things you can do with it that break basic IP routing that create
an additional layer of obscurity. (For instance, using port redirection
instead of static NAT makes it less likely that an attacker that can bypass
the firewall's rules can still route traffic to anything other than the
services you've published.) Of course, that same obscurity can be a problem
for you when it comes to troubleshooting. I'm starting to sense a theme
I say stick to what you know and are comfortable with. That will probably
be 'more secure' because of your understanding of the environment - the
logical conclusion being that your understanding leads to accurate risk
assessment and appropriate layering of access controls within the
> 3/ My research shows I need to have specfic certs (Apache and one other)
> *each* webserver behind the Big IP.
> Anyone have any experience with F5 Big ip 1500s?
It's my understanding that you can offload the SSL connections to the Big IP
appliances. This gives you a number of advantages.
First, you only need one SSL certificate per unique site hosted on the
switch. This also makes adding servers to the site easier since they're not
unique. (Of course, if they need to be uniquely authenticated via
certificate, that's another story, but for
nt-public-CA-so-people-won't-sniff-your-credit-card" e-commerce, it's just
Second, you can place your IDS/IPS between the load balancer and the web
servers and see all web app traffic without the encrypted 'blind spot.'
Good luck with your move!
PS - Can I trade consulting services for an upgrade to 6MB cable? :)
firewall-wizards mailing list