Saturday, July 22, 2017

CONTROL EXTERNAL ACCESS to a F5 VS data-group

HOWTO

Restrict access to a website via external source_address  & by using a  ltm  data-group.



1st ,  craft a DATA_GROUP and specify the  networks CIDRs blocks


ltm data-group MYAPPROVEDNETS {
    records {
        6.1.9.0/17 { }
        195.3.1.0/20 { }
        1.1.1.1/32 { }
        10.17.1.0/24 { }

    }
    type ip
}


2nd
  Build a simple iRule and reference the data-group for the client_address.



ltm rule MYACCESSRULE {
       when CLIENT_ACCEPTED {
   if { not ( [class match [IP::client_addr] equals MYAPPROVEDNETS ) } {
      reject
   }
}


when HTTP_REQUEST {
  switch [HTTP::host] {
  "GHjdev.examples.com" {
   persist cookie insert "HjDEVWEBS01" "1d 00:00:00"
   pool pool.GHjdev.examples.com
    }

  "GHjdev-admin.examples.com" {
   persist cookie insert "HjDEVWEBS03" "1d 00:00:00"
   pool pool.GHjdev-admin.examples.com
   }


  "GHjtest-admin.examples.com" {
   persist cookie insert "HjDEVWEBS02" "1d 00:00:00"
   set node 10.1.1.13:80
   }

  "dfdev.examples.com" {
   persist cookie insert "HjDEVWEBSx2" "1d 00:00:00"

   snatpool  POOLSNAT01
   pool pool.dfdev.examples.com
   }

  }
 }
}


NOTE:  so  the above   examples.com  website will only allow connections from the sources defined by the data-group.



ALTERNATIVELY

You could use mutual ssl authentication and only web-users with a valid cert can access the website. This is smarter in a long run,  since you don't have to  worry about web-client that changes  address on regular  basis.


Using this approach you could stand up  DEV or UAT environments and allow  trusted  networks access  to these DEV/UAT environments.


reference a typical  design with multiple pools that makes up various sites and a dev team in two network spaces.



Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



No comments:

Post a Comment