Audit Command Language ACL needs license validation periodically or once-off & to which site?

There's request to open up ACL (audit command language) tool to Internet from an internal zone server (ie not in DMZ) for periodic licensing validation.

 if we go through bluecoat proxy, will it work & is this considered secure?  Or it's better this server is moved into DMZ (but this is not an option as this server's
IP will change & we have to unjoin it from AD as we don't have an AD in our DMZ or rather it's blocked)

 Planning to restrict to specific URL for outgoing only (or is incoming port required too)?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
No reply, closing
0
Blue Street TechLast KnightCommented:
Hi sunhux,

I haven't used Blue Coat before (now Symantec) but if this is ONLY a web proxy and content filter, then you are on the wrong appliance in terms of security. You should be looking at your firewall.

Blue Coat.
If you allow this on the web proxy/content filter then I don't see much risk as that appliance is again not really a security appliance. It would remove the HTTP caching (a performance mechanism) and remove the content filtering (there is some security mechanisms depending on the type of filter & its configuration but not much at all - there is no inspection of any kind going on here at the packet level). This is hard to say in general how risky this action is because I don't have much to go on...meaning I don't know if you are under a specific compliance, the type of industry or how sensitive this tool or your company is. So these are general guidelines.

Firewall.
If you were to do this on the Firewall it would be a LAN>WAN orientation, not that big of a security concern in general, especially if you trust the application/tool. I always recommend filtering traffic outbound so your DNS & Mail services would be locked down regardless if you allow this type of traffic or not.

If we go through bluecoat proxy, will it work & is this considered secure?  Or it's better this server is moved into DMZ (but this is not an option as this server's
Again, I don't see a proxy as a security mechanism but rather a performance one. If the traffic ingress from WAN>LAN, yes move it in the DMZ. Anytime there is ingress traffic to open ports I like the Destination to be in the DMZ Zone if possible not only for containment but also for a L3 boundary. Even with access from the DMZ>LAN having the L3 boundary invokes the packet inspection engine of the firewall at least it should and does in firewalls like SonicWALL.

Planning to restrict to specific URL for outgoing only (or is incoming port required too)?
egress and ingress changes things. Make sure the communication is encrypted, and if it can't then the risk goes up. In that case you should then move it to the DMZ and at the very least lock down the GeoIPs and Source IPs to that application/tool with Botnet filtering.

Let me know if you have any other questions!
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.