Firewall Wizards mailing list archives
Re: Cacheflow Appliance
From: Kaptain <kaptain () kaptain com>
Date: Thu, 1 Feb 2001 11:12:16 -0800 (PST)
I would advise caution if you are close to purchasing a CacheFlow box. I have one in my lab and there are a few caveats that make it undesireable in certain deployments. Are you looking to do HTTP only with the box or are you also interested in doing streaming media (Real only for now)? There are different OS builds for either and while the streaming build does do HTTP, it is not very good at it. Running Web Polygraph with the Polymyix 3 workload (developed originally by NLANR but now run by the Measurment Factory; open source too) readily shows it's HTTP perf. BTW, Polygraph is the industry standard benchmark to use and it simulates real life deployments relatively well (when using the poly 3 load). I don't think that CacheOS is based on squid, as mentioned below...though a port scan by nmap shows the http proxy squid port to be open (named so by convention). There are other appliance-ized caching solutions that I would look at first. -K On Thu, 1 Feb 2001, Chris St. Clair wrote:
Hi folks, Does anybody have any good or bad experiences with implementing andmanaging the Cacheflow appliance. My company are considering usingOverall, it's a pretty secure appliance. Relatively easy to setup and maintain.increased performance for outgoing Web based access. I have been sent >the details of a Security report carried out by Hiverworld, that >suggested you could run the Cacheflow in parallel to the your >companies enterprise Firewall. (i.e. by-passing the firewall) The report suggests that because the Cacheflow OS is propriety and >does not allow inbound connection attempts. That it will "outscore" aThis is certainly an option; and that is definitely a benefit of the Cacheflow; the ability to make the external interface dead to the world. This buys you quite a bit in terms of protection from attacks when it does sit in parallel with your perimeter firewall. However, you would still do well to add some filtering rules on your border router in case someone misconfigures the Cacheflow down the road and brings that external interface up. As for the report from Hiverworld suggesting security based on the proprietary OS, I would take that point with a grain of salt. It may be a proprietary OS, but at heart it's still an x86 based processor (a well known CPU instruction set) running a modified version of squid (original source is readily available). Both of which can be dug into by anyone with a clue, giving you much more to work with, than say, Cisco's IOS.I'm a bit uncomfortable with this approach, we have used applicationAs long as you're a bit uncomfortable, you'll do just fine. Start worrying when you're not uncomfortable anymore :-) Good luck, and hope this helps. -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
------------------------------------------------------------------------- Caution: police line: you better not cross Is it the cop or am I the one that's really dangerous? Sanitation, Expiration date, Question Everything Or shut up and be the victim of authority -Greenday _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Cacheflow Appliance Chris St. Clair (Feb 01)
- Re: Cacheflow Appliance Kaptain (Feb 01)
- <Possible follow-ups>
- Re: Cacheflow Appliance Chris St. Clair (Feb 01)
- Re: Cacheflow Appliance Kaptain (Feb 01)