Re: Campus Google search appliance deployments

[Wyman Miles <wm63 () CORNELL EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can't stress this enough: a Google appliance is going to be inside any sort
of access controls you have -- if you put it there.  It will see, record,
and cache all manner of things that you thought were confined to your
campus.

In a previous life, what we did at Rice was build a (then Squid) proxy
server, place it on an external network, and point the Google appliance at
it.  Every server on campus saw requests coming from the proxy server and
their access controls applied as-if-external.  Further, we could do some
filtering and URL rewriting in Squid, search for previously applied bait,
etc.

We've seen at least one instance here where Cornell's Google appliance
cached some mailing list content that was intended to be Cornell-only.

It definitely raises the bar, in all sorts of unexpected ways.

- --On Tuesday, June 05, 2007 2:05 PM -0400 David Seidl <dseidl () ND EDU>
wrote:

> Folks,
>
> I'm looking for comments and experience with campus Google search
> appliance deployment. Specifically:
>
> 1) Did you take any special security precautions in your deployment?
>
> 2) Have you had any security (or other) issues with it?
>
> Also, if you have done the integration work to use your campus
> authentication systems with it using Google's API, I'd be interested to
> hear about how the process went.
>
> If you have any general observations about your appliance, I'd be glad
> to hear those as well.
>
> Thanks!
>
> David
> --
> ------------------------------------------------------------
> David Seidl, CISSP
> University of Notre Dame, Office of Information Technologies



Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBRmW33MRE6QfTb3V0EQLzcwCg2DIVdbSlclb6qH629UVxMRENt58An0ab
2r3+bxArHyJAJrAZnm+Rjima
=rR+Z
-----END PGP SIGNATURE-----