Professional Documents
Culture Documents
DC
การควบคุมเอกสาร
สถานะเอกสาร (Document control) ฉบับเริ่มต้น
ประวัติการปรับปรุงเอกสาร
วันที่ ชื่อผูป้ รับปรุง Version การปรับปรุง
__________________________________________
8|Page
Define the Subnets Allowed to Manage the Device .............................................................................................. 50
Disallow Management Access from Data Network ................................................................................................. 52
User Lockout ................................................................................................................................................................... 56
Management Session Idle Timeout............................................................................................................................ 58
SNMP Communities ....................................................................................................................................................... 60
General ............................................................................................................................................................................. 62
Configurations Network Setting ............................................................................................................................................... 72
VLANs ..................................................................................................................................................................................... 72
Interfaces ............................................................................................................................................................................... 74
Gateways ............................................................................................................................................................................... 76
Proxy IPs................................................................................................................................................................................. 78
Configurations High Availability (Master-Backup) ................................................................................................................. 80
High Availability .................................................................................................................................................................... 80
Status HA ............................................................................................................................................................................... 82
Virtual Servers & Real Servers .................................................................................................................................................. 84
Real Servers .......................................................................................................................................................................... 84
DC....................................................................................................................................................................................... 84
DR ....................................................................................................................................................................................... 84
Server Group ......................................................................................................................................................................... 85
DC....................................................................................................................................................................................... 85
DR ....................................................................................................................................................................................... 87
Virtual Servers....................................................................................................................................................................... 89
DC....................................................................................................................................................................................... 89
DR ....................................................................................................................................................................................... 89
Virtual Services ..................................................................................................................................................................... 90
9|Page
DC....................................................................................................................................................................................... 90
DR ....................................................................................................................................................................................... 92
Web Application Firewall .......................................................................................................................................................... 94
Secured Web Applications ................................................................................................................................................ 94
DC....................................................................................................................................................................................... 94
DR ....................................................................................................................................................................................... 94
Tunnels Configuration ........................................................................................................................................................ 95
DC....................................................................................................................................................................................... 95
DR ....................................................................................................................................................................................... 95
Web Applications Policies.................................................................................................................................................. 96
DC....................................................................................................................................................................................... 96
DR ....................................................................................................................................................................................... 96
DNS ................................................................................................................................................................................................ 97
DNS Responder VIP ............................................................................................................................................................. 97
DC....................................................................................................................................................................................... 97
DR ....................................................................................................................................................................................... 97
10 | P a g e
Section 1: Executive Summary
11 | P a g e
Server Load Balancing Solution
Component Specification
12 | P a g e
Section 2: Scope of work
In this section, provide details about implement plan.
13 | P a g e
Alteon 5208 Secure Scope of Implementation
- Configure DNS Redirection rules
- Configure Client Network rules
8 AppWall configuration up to 5 applications Done
- Configure scheduling security update and geolocation update with Radware cloud Done
- Configure AppWall system for publishing security event to Apsolute Vision and 3rd party Done
SIEM
- Configure AppWall Tunnel and Tunnel property for protected applications Done
- Configure AppWall Tunel Parsing property Done
- Configure AppWall Security policy with protected filter included: Database, Vulnerability Done
and Allow list
9 AppWall Staging and Go-live
- Staging 5 protected application in monitor mode
- Review security event and summary policy review with customer
- Switch application from monitor mode to block mode
C Implementation Hand-Over
1 On The Job Training shall be limited to:
- Explanation on implementation topology, and relevant technology concept
- Relevant implemented configuration run through
- Provide basic/common troubleshooting
2 Project Documentation will be limited to:
- User Acceptance Test Document
- Implementation Hand-over document
14 | P a g e
Section 3: Implementation Plan
In this section, provide details about implement plan.
15 | P a g e
ID TASK DESCRIPTION Start Finish
7 Global Server Load Balance (GSLB) service configuration up to 10
Domain names
- Configure Real Server for DR site
- Configure DNS Responseder
- Configure DNS Redirection rules
- Configure Client Network rules
8 AppWall configuration up to 5 applications 30/1/2024 30/1/2024
- Configure scheduling security update and geolocation update with 30/1/2024 30/1/2024
Radware cloud
- Configure AppWall system for publishing security event to 30/1/2024 30/1/2024
Apsolute Vision and 3rd party SIEM
- Configure AppWall Tunnel and Tunnel property for protected 30/1/2024 30/1/2024
applications
- Configure AppWall Tunel Parsing property 30/1/2024 30/1/2024
- Configure AppWall Security policy with protected filter included: 30/1/2024 30/1/2024
Database, Vulnerability and Allow list
9 AppWall Staging and Go-live
- Staging 5 protected application in monitor mode
- Review security event and summary policy review with customer
- Switch application from monitor mode to block mode
C Implementation Hand-Over
1 On The Job Training shall be limited to:
- Explanation on implementation topology, and relevant
technology concept
- Relevant implemented configuration run through
- Provide basic/common troubleshooting
2 Project Documentation will be limited to:
- User Acceptance Test Document
- Implementation Hand-over document
16 | P a g e
Section 4: Network Diagram
Solution Diagram
Solution Diagram
17 | P a g e
Section 5: Pre-requisite Information Checklist
Management IP Address DC
No Device IP Address IP Subnet Gateway Switch MAC Serial Version
3 Cyber Controller 172.16.150.18 255.255.255.0 172.16.150.254 OOB Switch 56:6f:b7:92:00:17 4017160681 10.2.0
Management IP Address DR
No Device IP Address IP Subnet Gateway Switch MAC Serial Version
18 | P a g e
Devices installed DC
DR1_BCH4_LBF4_1 – Font
DR1_BCH4_LBF4_1 - Back
19 | P a g e
DR1_BCH4_LBF4_2 – Font
DR1_BCH4_LBF4_2 – Back
20 | P a g e
Devices installed DR
DR_TCCT_LBF5_1 – Font
DR_TCCT_LBF5_1 - Back
21 | P a g e
DR_TCCT_LBF5_2– Font
DR_TCCT_LBF5_2– Back
22 | P a g e
Network Configuration - Alteon DC1_BCH4_LBF4_1
IP Interfaces
No IP Address IP Subnet Gateway VLAN Interface Type Remark
(Client/Server/Proxy)
23 | P a g e
Network Configuration - Alteon DC1_BCH4_LBF4_2
IP Interfaces
No IP Address IP Subnet Gateway VLAN Interface Type Remark
(Client/Server/Proxy
)
1 172.16.111.2 255.255.255.0 172.16.111.254 111 Client/Server
24 | P a g e
6 172.16.217.1 255.255.255.0 172.16.217.254 217 Client/Server
7 172.16.218.1 255.255.255.0 172.16.218.254 218 Client/Server
8 172.16.219.1 255.255.255.0 172.16.219.254 219 Client/Server
9 172.16.220.1 255.255.255.0 172.16.220.254 220 Client/Server
10 172.16.221.1 255.255.255.0 172.16.221.254 221 Client/Server
11 172.16.222.1 255.255.255.0 172.16.222.254 222 Client/Server
12 172.16.223.1 255.255.255.0 172.16.223.254 223 Client/Server
13 172.16.224.1 255.255.255.0 172.16.224.254 224 Client/Server
25 | P a g e
Network Configuration - Alteon DR_TCCT_LBF5_2
IP Interfaces
No IP Address IP Subnet Gateway VLAN Interface Type Remark
(Client/Server/Proxy
)
1 172.16.211.2 255.255.255.0 172.16.211.254 211 Client/Server
26 | P a g e
Network Configuration - High Availability
Floating IP DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No IP Address Remark
1 172.16.111.10
2 172.16.112.10
3 172.16.113.10
4 172.16.114.10
5 172.16.115.10
6 172.16.116.10
7 172.16.117.10
8 172.16.118.10
9 172.16.119.10
10 172.16.120.10
11 172.16.121.10
12 172.16.122.10
13 172.16.123.10
14 172.16.124.10
2 172.16.212.10
3 172.16.213.10
4 172.16.214.10
5 172.16.216.10
6 172.16.217.10
7 172.16.218.10
8 172.16.219.10
9 172.16.220.10
10 172.16.221.10
27 | P a g e
11 172.16.222.10
12 172.16.223.10
13 172.16.224.10
28 | P a g e
Proxy IP VLANs
Proxy IP DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No IP Address VLAN Remark
1 172.16.111.13 111
2 172.16.112.13 112
3 172.16.113.13 113
4 172.16.114.13 114
5 172.16.115.13 115
6 172.16.116.13 116
7 172.16.117.13 117
8 172.16.118.13 118
9 172.16.119.13 119
10 172.16.120.13 120
11 172.16.121.13 121
12 172.16.122.13 122
13 172.16.123.13 123
14 172.16.124.13 124
2 172.16.212.13 212
3 172.16.213.13 213
4 172.16.214.13 214
5 172.16.216.13 216
6 172.16.217.13 217
7 172.16.218.13 218
8 172.16.219.13 219
9 172.16.220.13 220
10 172.16.221.13 221
29 | P a g e
11 172.16.222.13 222
12 172.16.223.13 223
13 172.16.224.13 224
30 | P a g e
Virtual Service Configuration
Real Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No Real Server ID IP Address Port / Health Check Remark
Service Type
1 PRD_DMZ- 172.16.123.51 - Inherit -
Dataplan01
2 PRD_DMZ- 172.16.123.52 - Inherit -
Dataplan02
3 PRD_DMZ- 172.16.123.51 - Inherit -
PostgreSQL01
4 PRD_DMZ- 172.16.123.52 - Inherit -
PostgreSQL02
5 PRD_INT-Dataplan01 172.16.122.51 - Inherit -
6 PRD_INT-Dataplan02 172.16.122.52 - Inherit -
7 PRD_INT- 172.16.122.51 - Inherit -
PostgreSQL01
8 PRD_INT- 172.16.122.52 - Inherit -
PostgreSQL02
9 PRE-PRD_DMZ- 172.16.118.51 - Inherit -
Dataplan01
10 PRE-PRD_DMZ- 172.16.118.52 - Inherit -
Dataplan02
11 PRE-PRD_DMZ- 172.16.118.51 - Inherit -
PostgreSQL01
12 PRE-PRD_DMZ- 172.16.118.52 - Inherit -
PostgreSQL02
13 PRE-PRD_INT- 172.16.117.51 - Inherit -
Dataplan01
14 PRE-PRD_INT- 172.16.117.52 - Inherit -
Dataplan02
15 PRE-PRD_INT- 172.16.117.51 - Inherit -
PostgreSQL01
31 | P a g e
16 PRE-PRD_INT- 172.16.117.52 - Inherit -
PostgreSQL02
17 sdc1cbsiu1 172.16.113.51 - Inherit -
18 sdc1cbsiu2 172.16.113.52 - Inherit -
19 sdc1cbsiu4 172.16.112.51 - Inherit -
20 sdc1cbsiu5 172.16.112.52 - Inherit -
21 UAT_DMZ- 172.16.113.51 - Inherit -
Dataplan01
22 UAT_DMZ- 172.16.113.52 - Inherit -
Dataplan02
23 UAT_DMZ- 172.16.113.51 - Inherit -
PostgreSQL01
24 UAT_DMZ- 172.16.113.52 - Inherit -
PostgreSQL02
25 UAT_INT-Dataplan01 172.16.112.51 - Inherit -
26 UAT_INT-Dataplan02 172.16.112.52 - Inherit -
27 UAT_INT- 172.16.112.51 - Inherit -
PostgreSQL01
28 UAT_INT- 172.16.112.52 - Inherit -
PostgreSQL02
29 PRD_DMZ- 172.16.123.51 - Inherit -
Dataplan01
30 PRD_DMZ- 172.16.123.52 - Inherit -
Dataplan02
31 PRD_DMZ- 172.16.123.51 - Inherit -
PostgreSQL01
32 PRD_DMZ- 172.16.123.52 - Inherit -
PostgreSQL02
32 | P a g e
Real Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2
No Real Server ID IP Address Port / Health Check Remark
Service Type
1 PRD_DMZ- 172.16.223.51 - Inherit -
Dataplan01
2 PRD_DMZ- 172.16.223.52 - Inherit -
Dataplan02
3 PRD_DMZ- 172.16.223.51 - Inherit -
PostgreSQL01
4 PRD_DMZ- 172.16.223.52 - Inherit -
PostgreSQL02
5 PRD_INT-Dataplan01 172.16.222.51 - Inherit -
6 PRD_INT-Dataplan02 172.16.222.52 - Inherit -
7 PRD_INT- 172.16.222.51 - Inherit -
PostgreSQL01
8 PRD_INT- 172.16.222.52 - Inherit -
PostgreSQL02
34 | P a g e
12 UAT_INT- UAT_INT- - TCP_PostgreSQL Least Backup:
PostgreSQL PostgreSQL01 Connection rUAT_INT-
PostgreSQL02
35 | P a g e
Virtual Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No Virtual Server IP Address Port / Service Group Server Remark
ID
1 PRD_DMZ- 172.16.123.21 443 PRD_DMZ- ProxyIP: Ingresss
Dataplan Dataplan
2 PRD_DMZ- 172.16.123.22 5432 PRD_DMZ- ProxyIP: Ingresss
PostgreSQL PostgreSQL
3 PRD_INT- 172.16.122.21 443 PRD_INT- ProxyIP: Ingresss
Dataplan Dataplan
4 PRD_INT- 172.16.122.22 5432 PRD_INT- ProxyIP: Ingresss
PostgreSQL PostgreSQL
5 PRE- 172.16.118.21 443 PRE- ProxyIP: Ingresss
PRD_DMZ- PRD_DMZ-
Dataplan Dataplan
6 PRE- 172.16.118.22 5432 PRE- ProxyIP: Ingresss
PRD_DMZ- PRD_DMZ-
PostgreSQL PostgreSQL
7 PRE-PRD_INT- 172.16.117.21 443 PRE-PRD_INT- ProxyIP: Ingresss
Dataplan Dataplan
8 PRE-PRD_INT- 172.16.117.22 5432 PRE-PRD_INT- ProxyIP: Ingresss
PostgreSQL PostgreSQL
9 UAT_DMZ- 172.16.113.21 443 UAT_DMZ- ProxyIP: Ingresss
Dataplan Dataplan
10 UAT_DMZ- 172.16.113.22 5432 UAT_DMZ- ProxyIP: Ingresss
PostgreSQL PostgreSQL
11 UAT_INT- 172.16.112.21 443 UAT_INT- ProxyIP: Ingresss
Dataplan Dataplan
12 UAT_INT- 172.16.112.22 5432 UAT_INT- ProxyIP: Ingresss
PostgreSQL PostgreSQL
36 | P a g e
Virtual Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2
No Virtual Server IP Address Port / Service Group Server Remark
ID
1 PRD_DMZ- 172.16.223.21 443 PRD_DMZ- ProxyIP: Ingresss
Dataplan Dataplan
2 PRD_DMZ- 172.16.223.22 5432 PRD_DMZ- ProxyIP: Ingresss
PostgreSQL PostgreSQL
3 PRD_INT- 172.16.222.21 443 PRD_INT- ProxyIP: Ingresss
Dataplan Dataplan
4 PRD_INT- 172.16.222.22 5432 PRD_INT- ProxyIP: Ingresss
PostgreSQL PostgreSQL
37 | P a g e
Section 6: Configuration Summary
In this section, provide details of configuration related with Scope of Work.
Hardening devices
User Accounts
Radware recommends changing the default password of the predefined accounts
Configuration > System > Users > Local Users > Settings
Change password -> P@ssw0rdExim
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
38 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
39 | P a g e
SSH
By default, Alteon is accessible via SSH on TCP port 22. Consider changing the default ports and disabling SSH
version 1. In addition, consider using PKI for SSH login.
Configuration > System > Management Access > Management Protocols > SSH
Selected V2 only
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
40 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
41 | P a g e
HTTPS Access
Consider changing the default ports and disabling weak TLS versions.
Configuration > System > Management Access > Management Protocols > HTTPS
Selected TLS1.2 and TLS.1.3
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
42 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
43 | P a g e
Telnet Access
Ensure that Telnet access is not allowed.
Configuration > System > Management Access > Telnet
Unselected Enable Telnet
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
44 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
45 | P a g e
Login Banner
Radware recommends setting an appropriate timeout for a management session.
Note: The maximum allowed banner size is 319 characters.
Configuration > System > Management > CLI
Unauthorized ACCESS is Strictly Prohibited
This system is the property of the Export-Import Bank of Thailand
Disconnect IMMEDIATELY if you are not an authorized user.
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
46 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
47 | P a g e
Audit configuration
By default, Alteon does not log management events such as logins and information about configuration
changes. Analyzing these logs may assist in recognition of unauthorized access.
Configuration > System > Logging and Alerts
Enable All
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
48 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
49 | P a g e
Define the Subnets Allowed to Manage the Device
Radware recommends that the access to Alteon management be limited to set of specific subnets. By
default, all subnets are allowed. Additionally, you can specify the access methods in addition to the subnets.
Configuration > System > Management Access > Access Control > Allowed Protocols per Network > Add
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
50 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
51 | P a g e
Disallow Management Access from Data Network
Radware recommends allowing management access only via the management port.
Configuration > System > Management Access > Access Control > Data Port Access for Management Traffic
Change to Deny all
DC1_BCH4_LBF4_1
52 | P a g e
DC1_BCH4_LBF4_2
53 | P a g e
DR_TCCT_LBF5_1
54 | P a g e
DR_TCCT_LBF5_2
55 | P a g e
User Lockout
For mitigating brute force attacks to the Alteon management interface, Radware recommends locking users
after unsuccessful login attempts.
Configuration > System > Users > Local Users > Settings
Enable User > Login Failure Threshold: 5 times > User Logout Duration: 10 mins. >Lockout Reset Duration: 10
mins.
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
56 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
57 | P a g e
Management Session Idle Timeout
Radware recommends setting an appropriate timeout for a management session. For production
environments, Radware recommends keeping the idle timeout to the minimum value.
Configuration > System > Management Access
Idle Timeout : 20 mins
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
58 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
59 | P a g e
SNMP Communities
Radware recommends that if SNMP monitoring is enabled, use SNMv3 monitoring because it can be secured.
Using SNMPv1 or SNMPv2c is deprecated due to their use of clear text community strings.
Configuration > System > SNMP
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
60 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
61 | P a g e
General
NTP Server Configuration
Radware recommends keeping the time of the load balancer in sync with the local time.
Configuration > System > Time and Date
Set Primary IP Address : 172.16.150.254
Secondary IP Address : 0.0.0.0
DC1_BCH4_LBF4_1
62 | P a g e
DC1_BCH4_LBF4_2
63 | P a g e
DR_TCCT_LBF5_1
64 | P a g e
DR_TCCT_LBF5_2
65 | P a g e
Syslog Configuration
Radware also recommends exporting device logs to a unified location (such as a SIEM) to allow for security
events investigation.
Configuration > System > Logging and Alerts
Set Syslog IP Address : 172.16.150.20
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
66 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
67 | P a g e
DNS Server Configuration
Radware recommends configuring a DNS server for the Alteon device.
Configuration > System > DNS Client
Configure to Primary IP Address : 8.8.8.8
to secondary IP Address : 8.8.4.4
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
68 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
69 | P a g e
Device Name
Radware recommends displaying the device name at the CLI prompt.
Configuration > SNMP > System Name
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
70 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
71 | P a g e
Configurations Network Setting
VLANs
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
72 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
73 | P a g e
Interfaces
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
DR_TCCT_LBF5_1
74 | P a g e
DR_TCCT_LBF5_2
75 | P a g e
Gateways
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
DR_TCCT_LBF5_1
76 | P a g e
DR_TCCT_LBF5_2
77 | P a g e
Proxy IPs
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
78 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
79 | P a g e
Configurations High Availability (Master-Backup)
High Availability
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
80 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
81 | P a g e
Status HA
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
82 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
83 | P a g e
Virtual Servers & Real Servers
Real Servers
DC
DR
84 | P a g e
Server Group
DC
Dataplan
85 | P a g e
PostgreSQL
86 | P a g e
DR
Dataplan
87 | P a g e
PostgreSQL
88 | P a g e
Virtual Servers
DC
DR
89 | P a g e
Virtual Services
DC
Dataplan
90 | P a g e
PostgreSQL
91 | P a g e
DR
Dataplan
92 | P a g e
PostgreSQL
93 | P a g e
Web Application Firewall
Secured Web Applications
DC
DR
94 | P a g e
Tunnels Configuration
DC
DR
95 | P a g e
Web Applications Policies
DC
DR
96 | P a g e
DNS
DNS Responder VIP
DC
DR
97 | P a g e