Any box can be compromised, be it router, firewall, or proxy server, and
despite the religious war that generally erupts when you say it, any OS can
be compromised, be it Unix, Solaris, Linux, or NT.
Security is a matter of policy, and placement, and structure, and realistic
risk assessment.
Question - no matter what the box or function involved, should there be a
single point of vulnerability, one which if compromised, provides an
intruder direct access to your inside network? It does not matter if this
single point is a dial up modem line, or a firewall, or anything else. Is
this a risk worth taking?
My instinct is that security should be implemented in degrees, and in areas.
One should not design situations where the compromise of a single box puts
someone on the inside. So in that respect I take your side. My opinion is
that your associate would create a point of vulnerability where it is not
necessary to do so.
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rik
Guyler
Sent: Monday, November 06, 2000 12:20 PM
To: '[EMAIL PROTECTED]'
Subject: Where do you put your proxy servers?
I am in the midst of a debate with a coworker on where to put a proxy server
in regards to firewall/security physical topology. I say to disable proxy
services (if possible) and only use the content caching services, then put
the box in the DMZ with other services, like DNS, email, etc. I like this
topology better as the firewall can provide some security for these servers
and I don't really need the proxy services as I typically will use NAT/PAT
on the firewall.
My coworker prefers to run the proxy server (proxy and content caching
services both enabled) in parallel to the firewall rather than in the
internal or DMZ networks, allowing all web surfing to bypass the firewall
and not tie up bandwdith on the firewall. I don't like this as well as I
feel the security is weakened by doing this. If it's possible to compromise
the proxy server (which my coworker doesn't feel is possible), then it might
be possible to compromise beyond that.
I realize his way may improve firewall performance, but the PIX has never
been short in this area and I want security to be top priority over
performance.
I have a fair amount of experience with this but I'm always open to
alternative thinking. Please let me know what you think!
Rik Guyler
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
