Friday, August 26, 2005

firewall-wizards digest, Vol 1 #1650 - 1 msg

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. RE: Arch questions (Warrington Bruce - bwarri)

--__--__--

Message: 1
Date: Mon, 15 Aug 2005 11:36:36 -0500
From: "Warrington Bruce - bwarri" <bruce.warrington@acxiom.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: [fw-wiz] RE: Arch questions

> The questions I have are:
> 1/ Someone has recently mentioned the idea of using private adressing
> bewteen the inet > rtr and the firewall, with public adressing on the
web.
> What are the pros and cons?

You can save a few IP addresses by not using up a /29 block for the
network devices themselves. (2 physical + 1 virtual for both the pair of
routers, and the pair of firewalls). Does losing 8 of your routable IP
addresses mean anything to you for the number of addresses you have and
the number of these you need to setup? If not, don't worry about it.
The firewall won't be any more or less secure if you go either way. I
am assuming that you're not going to try to make the firewall outside
subnet bigger than it needs to be and allow servers to sit on the subnet
between the firewall and the router, which is a much bigger security
concern.

> 3/ My research shows I need to have specfic certs (Apache and one
> other) for
> *each* webserver behind the Big IP.
> Anyone have any experience with F5 Big ip 1500s?

You can offload the SSL certs to the BigIP, but the requirement of
buying a cert per web server is a contractual requirement, not a
technical one. The BigIP provides a speed improvement by not requiring
your web server to any of the crypto, and also gives you a LOT more
options for load balancing. Remember, if you do SSL on the web server,
the BigIP can't see the traffic as anything but encrypted packets going
to an IP address, so it can't do very much but spread the connections
around to your pool of servers. If the BigIP opens up the SSL traffic
because it's handling that part, it can see the http traffic, and that
gives you many other options of things the BigiP can do for you for load
balancing, session persistence, rule writing, redirection, etc.

You technically only need 1 SSL cert on the BigIP itself, but legally
that won't fly. If you read the fine print (or call your SSL cert
vendor of choice) they'll make it very clear that using a BigIP does NOT
change your requirement for the number of certs you're supposed to buy.
It's similar to the case of using your web server to front end your
database, where the database vendor won't let you drop your enterprise
license and convert to a single user copy just because you found a way
to hide the number of users from it. Technically yes, legally no, so
consider that before you change your licensing model.
**************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally
privileged.

If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank You.
**************************************************************************

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

No comments:

Post a Comment