I'm looking for
opinions on the relative security of installing a netcache caching proxy in
parallel with a firewall.
I have always
considered "best practices" to be that few, if any, devices should be installed
in parallel to a firewall unless there is a compelling justification for doing
so. (less attack vectors, simplicity, etc) However, my client is being
told by Network Appliance that they should install their netcache proxies in
parallel with their firewalls for performance reasons. They are also being
told that the netcache proxies are "hardened" and do no support any outside to
inside initiated connections and that a large number of their clients install
their netcache proxies in parallel with their firewalls.
Some preliminary
testing I have done did not reveal any available ports on the netcache when
scanned from the outside and a search in the ICAT returned only 2 vuln's
recorded for the netcache appliances. (one of which was related to allowing HTTP
tunnels in the default config)
Given this, and
given that there have been firewall performance concerns by my
client, I need a good reason not to install the netcache's in parallel with
the firewalls other than "it's not best practice". Does anyone
have specific reasons why the netcache proxies should not be installed in
parallel with the firewall? In particular, any experiences with a netcache
being compromised would be very helpful.
Regards,
Kent