The
netcache will be used only for outbound web browsing by users, no inbound
services allowed to servers. All inbound initiated services would continue
to go through the firewall. Sorry, I should have been more explicit about the
intended use of the netcache.
Regards,
Kent
-----Original Message-----
From: Bill Royds [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 20, 2002 5:18 PM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: Opinions on netcache securityWhat they are really saying is that they want the Netcache to replace the firewall for your server segment so you want to separate your server segment from any actual connection to your internal network after that is implemented. What does this imply for management of your servers.Since the Netcache is not a full firewall and can't have access policies tuned, you need to ensure that any traffic that gets to your server segment can't bypass your firewall to reach your internal network. The Netcache may be secure in itself, but it doesn't protect your servers as well as the firewall (unless you have an open policy to your servers already).You need to ensure that your servers are as well protected from attacks after netcache is installed as they are now and that means the netcache pass through rules fit the same policies as on the firewall.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley
Sent: Mon May 20 2002 18:06
To: [EMAIL PROTECTED]
Subject: Opinions on netcache securityI'm looking for opinions on the relative security of installing a netcache caching proxy in parallel with a firewall.I have always considered "best practices" to be that few, if any, devices should be installed in parallel to a firewall unless there is a compelling justification for doing so. (less attack vectors, simplicity, etc) However, my client is being told by Network Appliance that they should install their netcache proxies in parallel with their firewalls for performance reasons. They are also being told that the netcache proxies are "hardened" and do no support any outside to inside initiated connections and that a large number of their clients install their netcache proxies in parallel with their firewalls.Some preliminary testing I have done did not reveal any available ports on the netcache when scanned from the outside and a search in the ICAT returned only 2 vuln's recorded for the netcache appliances. (one of which was related to allowing HTTP tunnels in the default config)Given this, and given that there have been firewall performance concerns by my client, I need a good reason not to install the netcache's in parallel with the firewalls other than "it's not best practice". Does anyone have specific reasons why the netcache proxies should not be installed in parallel with the firewall? In particular, any experiences with a netcache being compromised would be very helpful.Regards,Kent
