Audit Command Language ACL needs license validation periodically or once-off & to which site?

There's request to open up ACL (audit command language) tool to Internet from an internal zone server (ie not in DMZ) for periodic licensing validation.

 if we go through bluecoat proxy, will it work & is this considered secure?  Or it's better this server is moved into DMZ (but this is not an option as this server's
IP will change & we have to unjoin it from AD as we don't have an AD in our DMZ or rather it's blocked)

 Planning to restrict to specific URL for outgoing only (or is incoming port required too)?
sunhuxAsked:
Who is Participating?
 
sunhuxConnect With a Mentor Author Commented:
No reply, closing
0
 
Blue Street TechLast KnightCommented:
Hi sunhux,

I haven't used Blue Coat before (now Symantec) but if this is ONLY a web proxy and content filter, then you are on the wrong appliance in terms of security. You should be looking at your firewall.

Blue Coat.
If you allow this on the web proxy/content filter then I don't see much risk as that appliance is again not really a security appliance. It would remove the HTTP caching (a performance mechanism) and remove the content filtering (there is some security mechanisms depending on the type of filter & its configuration but not much at all - there is no inspection of any kind going on here at the packet level). This is hard to say in general how risky this action is because I don't have much to go on...meaning I don't know if you are under a specific compliance, the type of industry or how sensitive this tool or your company is. So these are general guidelines.

Firewall.
If you were to do this on the Firewall it would be a LAN>WAN orientation, not that big of a security concern in general, especially if you trust the application/tool. I always recommend filtering traffic outbound so your DNS & Mail services would be locked down regardless if you allow this type of traffic or not.

If we go through bluecoat proxy, will it work & is this considered secure?  Or it's better this server is moved into DMZ (but this is not an option as this server's
Again, I don't see a proxy as a security mechanism but rather a performance one. If the traffic ingress from WAN>LAN, yes move it in the DMZ. Anytime there is ingress traffic to open ports I like the Destination to be in the DMZ Zone if possible not only for containment but also for a L3 boundary. Even with access from the DMZ>LAN having the L3 boundary invokes the packet inspection engine of the firewall at least it should and does in firewalls like SonicWALL.

Planning to restrict to specific URL for outgoing only (or is incoming port required too)?
egress and ingress changes things. Make sure the communication is encrypted, and if it can't then the risk goes up. In that case you should then move it to the DMZ and at the very least lock down the GeoIPs and Source IPs to that application/tool with Botnet filtering.

Let me know if you have any other questions!
1
All Courses

From novice to tech pro — start learning today.