[Dshield] Architecture approach

Scott Melnick smelnick at water.com
Fri Aug 12 14:40:41 GMT 2005

Well, as Aaron somewhat put it. NAT does not hide your machines, at
least for incoming traffic and it is un-necessary overhead. I agree
It does "hide" outbound only traffic to an extent..(If it didn't then
could someone kindly give me my machine IP address out of the 5,000
machines behind my firewalls?). But that is the cause for the
misconception. It only works one way..

As for your F5 question. No it does not need a public IP address on the
interface to work. You only need multiple certs if you have multiple
sites. You can use 1 cert on the F5 for as many servers that you want
assuming that the cert is for the same 1 site that you are balancing.
This is what you want to do. You don't want to load balance SSL and put
an overhead on your backend machines. Terminate it all on the F5 (it has
a built in SSL accelerator). The F5 basically works like a reverse
While NAT is hard to avoid when going through some firewalls and then
the F5 you can still avoid it by splitting up you ISP assigned addresses
into smaller subnet chunks. If you are going to load balance a good
amount of servers then you will basically have to use NAT at the inside
interface of the F5. It will not matter much since inbound traffic stops
at the F5. Also, don't make the mistake of thinking the F5 will server
as a firewall as most people do (it's really a reverse proxy/balancer).
I recommending sandwiching an F5 in between two firewalls as I recommend
with any internet based service.


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of
mlinfosec at comcast.net
Sent: Thursday, August 11, 2005 1:57 PM
To: General DShield Discussion List
Subject: [Dshield] Architecture approach

I had a quick question regarding public web routing/ip architecture.  Is
there any advantage to using private addressing on the outside of the
firewall that is protecting you web server.  Someone mentioned that then
the firewall cannot be pinged, etc. (You can write rules to stop that).
I like to use public addresses on that segment, in case I need to test
things that need a publically routeable address. I was always under the
impression you used NATing to *hide* the address of the webserver. What
is "best practice"?  I am assuming that your web servers would then need
to have public addressing and static routes in the external router to
your firewall, which would also have a route to the public IP address
(of your web server). 
Which brings me to my next point.  I am planning on using F5 Big IP
1500s to load balance my web traffic.  I want to terminate the SSL
sessions on the 1500.  Do they have to have public IPs to work?  I also
understand I may need to use 1 cert for each web server behind the F5s.
Can anyone confirm?
Any help is appreciated in advance.

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list