The CacheFlow Security Gateway is designed to work in conjunction with firewalls, taking many of the demands of HTTP, HTTPS and streaming-traffic management from the firewall itself and providing user access security, content filtering, active content stripping, virus checking and network bandwidth protection. The Security Gateway can also authenticate and cache SSL encrypted data - this could be very useful to many large companies that use SSL for intranet content, and require distributed devices to improve performance for remote users.

But it’s the newer security features that are most interesting, and the Security Gateway supports a lot of different options. These include security of data transmission (authentication and authorization before data requests are accepted), securing systems from virus attacks (virus scanning coordination and active content removal), reducing legal liability (inappropriate content filtering), securing intellectual property (blocking access to web-based email systems, stopping users from posting onto web sites), securing transmission media (bandwidth limits on streaming media, bandwidth saving on caching), reducing delays to users (scaling down the number of requests to virus scanning servers, reducing load on firewalls and local content caching) and securing workstations from known security holes (enforcing corporate browser and
media-player standards).

The Java-based management interface that sets up all of these options also enables the system manager to define granular policies. The management interface allows decisions to be made on handling content based on any of the following policy parameters: user name, user group, physical machine, IP address, time of day, day of week, file type, MIME type, site content category, site URL (with wildcards), protocol, and user client application. Then, based on these parameters, the following decisions may be made: allow content through and cache, allow content through but do not cache, disallow all page content, block individual objects or files, replace file with another object or text, or scan content for viruses. In this way, complex sets of rules can be configured for individual requirements. For example, you could block all Active-X controls, unless the requester is from the IT department and the site being accessed is www.microsoft.com.

Initial set-up is carried out from the front panel of the 1U-high rack-mountable housing using an LCD panel and a ‘joystick’ control. Once an IP address has been set up for the system, the system manager uses a browser to set up the remaining configuration parameters. The user authentication system communicates with any Windows NT, LDAP or Radius server. If the user has already logged into the network, web access doesn’t need a further password. However, the system challenges for a valid name and password if a user has just turned on a PC without logging into the corporate authentication system, so the Security Gateway can make sure that people do not get access to the Internet without being validated.

You can set up the content filtering, blocking access to sites for web-based email, online selling and pornography - but this can be done on a user-by-user basis so you can allow your purchasing department, for example, to access online selling sites while blocking those sites to all other users. CacheFlow hasn’t created its own blacklists of URLs to block, but licensed the third-party SmartFilter database. You can also ask the system to block access to Java scripts and embedded commands, replacing them with a brief line of text. This works well, but it makes some web pages look strange.

The CacheFlow appliance can communicate with third-party virus-scanning servers using the Internet content adaptation protocol (ICAP). Trend Micro and Symantec sell virus-scanning systems that are compatible with CacheFlow’s ICAP implementation. You can define the file types you want to scan for viruses and whether the request should ‘fail open’ or ‘fail closed’ if the scanner isn’t available. ‘Fail open’ allows the content through if the scanner isn’t available, while ‘fail closed’ blocks it. You can also restrict access based on browser type and version, thus enforcing a minimum software revision level on users of, for example, Internet Explorer. This could be useful for system managers who tire of portable PCs with old software versions - when a traveling staff member comes into the office and connects to the corporate LAN, the system can automatically prompt them to upgrade their software.

The system can manage streaming files including implementing a bandwidth limitation policy. Another example is to use a proxy application running on the Security Gateway that can split multiple requests for the same data and also cache streaming files for future users. This could be very useful for companies now embracing streaming for executive broadcasts and distance learning applications. There is a comprehensive reporting application, called CacheFlow Reporter, which allows full details of user access to be graphed and logged, enabling management to drill down and see top sites, top users, access at particular times of day and full details of where everyone has been.

Overall, this is a highly polished appliance that plugs the holes in many companies’ security policies. The strength of the granular control is that it allows exceptions to be made for specific users for certain content. The unit we tested was the CacheFlow Security Gateway 616, which is designed for throughputs of up to 26Mbits/sec, contains 36Gb of disk space and 640Mb of RAM. There are larger and smaller systems also available with throughputs of up to 200Mbits/sec.
 

SC On-Line
SC Magazine
www.scmagazine.com