ACE deployment considerations

Unanswered Question
Jul 3rd, 2010
User Badges:

folks


i'm looking for a good practice guide for ace deployment if anyone can help


i intend to use my ACE appliance to load balance traffic between 4 different proxy servers, i.e. users request a url, i.e. www.cnn.com from the ACE and it then connects to one of 4 proxies which will then retrieve the web page, pass it back to the ACE which will deliver the content to the user


my ACE appliance is no my trusted/corporate lan


my proxies are on an untrusted lan/dmz behind a firewall


i want to install a 4710 with its client interface on my corporate lan (closest to the users) and the server interface on my proxy lan but i need to know if the ACE appliance is secure enough to be deployed in this topology


is it EAL certified or does it run in a firewall/stateful inspection mode?


thanks to anyone taking the time to read this or to reply

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
UHansen1976 Mon, 07/05/2010 - 10:20
User Badges:
  • Bronze, 100 points or more

Hi,


As far as I know, the ACE is not stateful like your typical firewall device, and I have no knowledge of wether it's EAL certified or not.


However, since ACE comes with a wide range of inspection features and is generally considered very security-aware, you could argue that it would make a good firewall substitute. Personally, I've deployed the ACE as an addition to my firewall setup and attached the proxies to ACE on dedicated interfaces, having a clientside interface point towards the users and a dedicated egress interface attached to the firewall on a dmz. That way any nat-rules can remain unchanged.


Another option, depending on your topology, would be a bridge-mode implementation, basically deploying the ACE as a bumb-in-road between the firewall-dmz and the proxies.


Anyway, just my thought. Hope you find 'em useful.


/Ulrich

mulhollandm Mon, 07/05/2010 - 14:20
User Badges:

ulrich


many thanks for your offering, its greatly appreciated and very helpful


i suspect i'll have to go with putting a failover pair of 4710s inline to my proxies


i'll readdress the firewall interface and put the 4710s in front of the proxies so i can keep my proxies with the same IPs and simply put a static route to the proxies via the client side


thanks again

jasonpresnell Tue, 07/06/2010 - 21:00
User Badges:

Just one minor point:


As far as I know, the ACE is not stateful like your typical firewall 
device, and I have no knowledge of wether it's EAL certified or not.


Actually, the ACE is a stateful packet inspection based solution. It could not acheive much of what it does without maintaining state. It is certainly not as feature rich as say an ASA firewall or IDS/IPS system for security, but nevertheless it has a considerable amount of DDoS, normalization, and ACL features.

UHansen1976 Tue, 07/06/2010 - 23:15
User Badges:
  • Bronze, 100 points or more

Hi Jason,


Thanks for the info.


/Ulrich

Actions

This Discussion