Re: F5 and similar

From: Joao Gouveia (tharbad_at_kaotik.org)
Date: 08/27/03

  • Next message: Oliver Karow: "Re: Firewall assessment" 
    To: pen test <pentestlist@hotmail.com>
Date: Wed, 27 Aug 2003 12:00:37 +0100

    Hi,

    On Wed, 2003-08-27 at 02:55, pen test wrote:
    > Recently I started a pen test of a network and the company is using a
    F5
    > BigIP for load balancing and ssl acceleration. I looked and looked
    and
    > could not find any information to answer a few questions. Any help
    would be
    > great.
    >
    > Does the BigIp handle all requests and stay between the client and
    server or
    > does it just simply redirect to the server?

    BigIp acts as a load balancer, it may or may not have specific rules
    that decide where the client requests are to be delivered. For example,
    you can have some "/images" URI being passed to a pool of image servers,
    and a "/cgi" URI passed to a pool of application servers. As such, you
    can also have rules that send requests like "/vulnerable.cgi" redirected
    to /dev/null.
    BigIp is very flexible in this kind of configurations.

    > Bascially what I am getting at is if the the BigIp is between the
    client and
    > application server
    >
    > client ---ssl--- bigip ---http--- application server

    You're probably talking with BigIp's ssl-proxy.

    > is the the application server safe from attacks that may affect it as
    the
    > bigip will actually be on the one that is attacked?

    I would say that most likely they have a virtual address which is
    handled by BigIp, and passed to specific pools of servers based on
    destination ports, rules, etc..
    It should be safe, for example, from attacks to a port that is not
    mapped on the virtual server ( the attacker would be talking with the
    BigIp, not the app server ), but not from attacks directed to the mapped
    ports ( probably port 80 ).

    Unless they've used the (powerfull) filtering features on BigIp,
    requests that are sent to the web servers pool should pass mostly
    transparently.

    Regards,

    Joao Gouveia

  • Next message: Oliver Karow: "Re: Firewall assessment"

    Relevant Pages

    • Re: F5 and similar
      ... Seeing that we are on the BigIP topic. ... >> does it just simply redirect to the server? ... > of the server, however the L3-7 attacks will then pass, unless suitable ... > contain network/application security features found in other products, ...
      (Pen-Test)
    • Re: F5 and similar
      ... > BigIP for load balancing and ssl acceleration. ... > Does the BigIp handle all requests and stay between the client and server ... Fast, reliable vulnerability assessment ... > technology powered by the award-winning FoundScan engine. ...
      (Pen-Test)
    • Re: F5 and similar
      ... If they are using the SSL-Accelerator (which is a seperate box than ... > BigIP for load balancing and ssl acceleration. ... > does it just simply redirect to the server? ... > is the the application server safe from attacks that may affect it as the ...
      (Pen-Test)
    • F5 and similar
      ... BigIP for load balancing and ssl acceleration. ... does it just simply redirect to the server? ... is the the application server safe from attacks that may affect it as the ... technology powered by the award-winning FoundScan engine. ...
      (Pen-Test)
    • Re: F5 and similar
      ... > Does the BigIp handle all requests and stay between the client and server or ... > does it just simply redirect to the server? ... your looking at L2 then the F5 will be the victim of L2 style attacks instead ...
      (Pen-Test)