I don´t think that we already have a document that describes hardening, but I want to mention some ideas for hardening:
- Use multiple NICs and associate services to it. You do have more than one NIC in your Appliance, so you should use it. I would specifiy separate NICs for the Proxy Traffic and for internal traffic, such as Cluster Communication and GUI accesses. In each "Port" field in the MWG configuration you can change the Port (for example "9090"), to IPort (for example "192.168.0.1:9090"). Doing so you can ensure that end-users are not able to access the Admin interface, even from a network perspective, by choosing a NIC that is only accessible for your Admin users.
- The same should apply to the SSH service running on the MWG. By default it binds to any available IP address. Since we do not want to play around with the SSH configuration file, I would recommend to use the Network Protection feature, to restrict port 22 accesses. Doing so will prevent the majority of users to even see a Logon prompt on port 22, which is good for security.
By default there are no further services running on the appliance. Just to be really sure you can use a Firewall or the Web Gateway Network Protection to block all accesses but those pointing to your proxy port, at least for the NIC pointing to your users.
Doing so should give you a better feeling. I hope it helps to get started.
u talked about two things
-connecting through SSH
-Avalaibilty through more Nic Card
i think it is by default done in our enterprise , is there more specific guidlines as Cisco hardening ....
i think a big enterprise like macafee should have a hardening Standars....are u agree with me
Thanks for your post , really i do appericate
I think basically you have some company-related guidelines to ensure to keep the "normal user" away from everything that may be critical, such as SSH. I think this has already done in this case which is good.
I agree that having a document that gives more hints on this topic and/or defines a standard "lock down" policy would be very helpful to customers. Unfortunately currently we don´t have one and it is not up to me to decide if this shoud/can be done or not. I would recommend to file your request as an FMR, to have it officially recoreded. To do so, please describe your wish/requirement on
The network protection "feature" broke our setup with WCCP, so we had to be creative in how we were going to protect the appliances. You can modify the hosts.allow and hosts.deny to restrict SSH access, change the https connector interface to localhost and then tunnel your ssh connection to your mgmt port listening on the localhost.
The issue with network protection and wccp should be addressed in 7.1.6 (Currently in beta). To productivityenhancer, did you already have a case open for that issue? If so let me know the SR #.