[fw-wiz] RE: Arch questions

From: Warrington Bruce - bwarri (bruce.warrington_at_acxiom.com)
Date: 08/15/05

  • Next message: Brent Clark: "[fw-wiz] cant connect to port 80"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 15 Aug 2005 11:36:36 -0500

    > The questions I have are:
    > 1/ Someone has recently mentioned the idea of using private adressing
    > bewteen the inet > rtr and the firewall, with public adressing on the
    > What are the pros and cons?

    You can save a few IP addresses by not using up a /29 block for the
    network devices themselves. (2 physical + 1 virtual for both the pair of
    routers, and the pair of firewalls). Does losing 8 of your routable IP
    addresses mean anything to you for the number of addresses you have and
    the number of these you need to setup? If not, don't worry about it.
    The firewall won't be any more or less secure if you go either way. I
    am assuming that you're not going to try to make the firewall outside
    subnet bigger than it needs to be and allow servers to sit on the subnet
    between the firewall and the router, which is a much bigger security

    > 3/ My research shows I need to have specfic certs (Apache and one
    > other) for
    > *each* webserver behind the Big IP.
    > Anyone have any experience with F5 Big ip 1500s?

    You can offload the SSL certs to the BigIP, but the requirement of
    buying a cert per web server is a contractual requirement, not a
    technical one. The BigIP provides a speed improvement by not requiring
    your web server to any of the crypto, and also gives you a LOT more
    options for load balancing. Remember, if you do SSL on the web server,
    the BigIP can't see the traffic as anything but encrypted packets going
    to an IP address, so it can't do very much but spread the connections
    around to your pool of servers. If the BigIP opens up the SSL traffic
    because it's handling that part, it can see the http traffic, and that
    gives you many other options of things the BigiP can do for you for load
    balancing, session persistence, rule writing, redirection, etc.

    You technically only need 1 SSL cert on the BigIP itself, but legally
    that won't fly. If you read the fine print (or call your SSL cert
    vendor of choice) they'll make it very clear that using a BigIP does NOT
    change your requirement for the number of certs you're supposed to buy.
    It's similar to the case of using your web server to front end your
    database, where the database vendor won't let you drop your enterprise
    license and convert to a single user copy just because you found a way
    to hide the number of users from it. Technically yes, legally no, so
    consider that before you change your licensing model.
    The information contained in this communication is confidential, is
    intended only for the use of the recipient named above, and may be legally

    If the reader of this message is not the intended recipient, you are
    hereby notified that any dissemination, distribution or copying of this
    communication is strictly prohibited.

    If you have received this communication in error, please resend this
    communication to the sender and delete the original message or any copy
    of it from your computer system.

    Thank You.
    firewall-wizards mailing list

  • Next message: Brent Clark: "[fw-wiz] cant connect to port 80"