[fw-wiz] RE: Arch questions

From: Warrington Bruce - bwarri (bruce.warrington_at_acxiom.com)
Date: 08/15/05

  • Next message: Brent Clark: "[fw-wiz] cant connect to port 80"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 15 Aug 2005 11:36:36 -0500
    
    

    > The questions I have are:
    > 1/ Someone has recently mentioned the idea of using private adressing
    > bewteen the inet > rtr and the firewall, with public adressing on the
    web.
    > What are the pros and cons?

    You can save a few IP addresses by not using up a /29 block for the
    network devices themselves. (2 physical + 1 virtual for both the pair of
    routers, and the pair of firewalls). Does losing 8 of your routable IP
    addresses mean anything to you for the number of addresses you have and
    the number of these you need to setup? If not, don't worry about it.
    The firewall won't be any more or less secure if you go either way. I
    am assuming that you're not going to try to make the firewall outside
    subnet bigger than it needs to be and allow servers to sit on the subnet
    between the firewall and the router, which is a much bigger security
    concern.

    > 3/ My research shows I need to have specfic certs (Apache and one
    > other) for
    > *each* webserver behind the Big IP.
    > Anyone have any experience with F5 Big ip 1500s?

    You can offload the SSL certs to the BigIP, but the requirement of
    buying a cert per web server is a contractual requirement, not a
    technical one. The BigIP provides a speed improvement by not requiring
    your web server to any of the crypto, and also gives you a LOT more
    options for load balancing. Remember, if you do SSL on the web server,
    the BigIP can't see the traffic as anything but encrypted packets going
    to an IP address, so it can't do very much but spread the connections
    around to your pool of servers. If the BigIP opens up the SSL traffic
    because it's handling that part, it can see the http traffic, and that
    gives you many other options of things the BigiP can do for you for load
    balancing, session persistence, rule writing, redirection, etc.

    You technically only need 1 SSL cert on the BigIP itself, but legally
    that won't fly. If you read the fine print (or call your SSL cert
    vendor of choice) they'll make it very clear that using a BigIP does NOT
    change your requirement for the number of certs you're supposed to buy.
    It's similar to the case of using your web server to front end your
    database, where the database vendor won't let you drop your enterprise
    license and convert to a single user copy just because you found a way
    to hide the number of users from it. Technically yes, legally no, so
    consider that before you change your licensing model.
    **************************************************************************
    The information contained in this communication is confidential, is
    intended only for the use of the recipient named above, and may be legally
    privileged.

    If the reader of this message is not the intended recipient, you are
    hereby notified that any dissemination, distribution or copying of this
    communication is strictly prohibited.

    If you have received this communication in error, please resend this
    communication to the sender and delete the original message or any copy
    of it from your computer system.

    Thank You.
    **************************************************************************
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Brent Clark: "[fw-wiz] cant connect to port 80"

    Relevant Pages

    • Re: Newbie Alert/RANT - 3rd Party SSL Cert requires Static IP addr
      ... A router is not a firewall and a firewall is not a router. ... I reissued the SSL cert again, ... I mistakenly thought that the Dynamic DNS ...
      (microsoft.public.windows.server.sbs)
    • Re: disconnect a hacker
      ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
      (alt.computer.security)
    • Re: Firewall on server itself
      ... Perhaps the iptables could defend against an intruder who is already ... Firewall vender specific vulnerabilities ... >> be configured to protect the web server as well other computers on ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: [fw-wiz] Using SSL accelerators in firewalls
      ... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
      (Firewall-Wizards)
    • Re: security advice (possible hacker activity?)
      ... > trojan or worm is installed onto the web server. ... > itself through the firewall to an email user on a PC, ... > the IIS web server. ... IWAM runs any site with Access or SQL. ...
      (microsoft.public.win2000.security)