Geeks With Blogs
Nicholas Zurfluh blog

The traditional aproach to site security.

Allow all traffic then identify an unauthorized requests and stop them  This would be a deductive method.

The deductive method would compare http requests against a class of unauthorized values.  A negative result would consider the request safe and use pool X.  A positive match would identify an unauthorized request and be discarded.  Since we cannot exhaustively anticipate all future vulnerabilities this method will never be comprehensive.

A comprehensive solution would include an inductive method.

The inductive method would work as such; all authorized http requests use pool X while unauthorized http requests are parsed further by deductive means and/or changed into an authorized request, or discarded altogether. 

Also an inductive method would require much less overhead than the deductive method.  Rules require parsing of packets, when we are trying to keep latency at a minimum the less data to parse the better.  You can think of it like an ACL.  With ACLs, you give your allowances first and your denials last.  This ensures that the traffic is processed quickly.

The bad news is it would be nearly impossible to create such a rule with Big-IP 4.5.9.  Anticipating all authorized values would be to difficult.  The good news is F5 aquired Traffic Shield to do just this.  It employs an application layer security that works beyond a packet by packet analasys but is session aware.  It does far more than I could hope to accomplish with Big-IP 4.5.9. 

Posted on Thursday, September 9, 2004 6:00 PM F5 networks | Back to top

Comments on this post: Using F5 iRules to augment server security

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Nicholas Zurfluh | Powered by: