Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cacheflow Appliance

From: Kaptain <kaptain () kaptain com>
Date: Thu, 1 Feb 2001 11:12:16 -0800 (PST)
I would advise caution if you are close to purchasing a CacheFlow box.  I
have one in my lab and there are a few caveats that make it undesireable
in certain deployments.  Are you looking to do HTTP only with the box or
are you also interested in doing streaming media (Real only for
now)?  There are different OS builds for either and while the streaming
build does do HTTP, it is not very good at it.  Running Web Polygraph
with the Polymyix 3 workload (developed originally by NLANR but now run by
the Measurment Factory; open source too) readily shows it's HTTP
perf.  BTW, Polygraph is the industry standard benchmark to use and it
simulates real life deployments relatively well (when using the poly 3
load).  I don't think that CacheOS is based on squid, as mentioned
below...though a port scan by nmap shows the http proxy squid port to be
open (named so by convention).  There are other appliance-ized caching
solutions that I would look at first.

-K




On Thu, 1 Feb 2001, Chris St. Clair wrote:


Hi folks,
Does anybody have any good or bad experiences with implementing and 

managing the Cacheflow appliance. My company are considering using


Overall, it's a pretty secure appliance. Relatively easy to setup
and maintain.


increased performance for outgoing Web based access. I have been sent >the 
details of a Security report carried out by Hiverworld, that >suggested you 
could run the Cacheflow in parallel to the your >companies enterprise 
Firewall. (i.e. by-passing the firewall)
The report suggests that because the Cacheflow OS is propriety and >does 
not allow inbound connection attempts. That it will "outscore" a


This is certainly an option; and that is definitely a benefit of the
Cacheflow; the ability to make the external interface dead to the
world. This buys you quite a bit in terms of protection from attacks
when it does sit in parallel with your perimeter firewall. However,
you would still do well to add some filtering rules on your border
router in case someone misconfigures the Cacheflow down the road
and brings that external interface up.

As for the report from Hiverworld suggesting security based on the
proprietary OS, I would take that point with a grain of salt. It may
be a proprietary OS, but at heart it's still an x86 based processor
(a well known CPU instruction set) running a modified version of squid
(original source is readily available). Both of which can be dug into by 
anyone with a clue, giving you much more to work with, than say, Cisco's 
IOS.


I'm a bit uncomfortable with this approach, we have used  application


As long as you're a bit uncomfortable, you'll do just fine. Start
worrying when you're not uncomfortable anymore :-)

Good luck, and hope this helps.

-chris
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



-------------------------------------------------------------------------
Caution: police line: you better not cross
Is it the cop or am I the one that's really dangerous?
Sanitation, Expiration date, Question Everything
Or shut up and be the victim of authority

-Greenday

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: