Don't know if this was answered for you yet or not but here's my 2 cents.
(yeah I"m donating back to the pool since I couldn't collect).
You can leave the proxy in place and protect it with the PIX but you're
leaving a point of failure for web access. Yes there are always points of
failure but why have 2? I would enable NAT or PAT on the PIX. For
filtering and monitoring you might want to look into the Websense product
that the PIX works hand-in-hand with.
Will the default gateway change for users or is it pointed at another device
that can forward the default route towards the PIX? If it changes you'll
need to release/renew all IP leases after changing the DHCP scope.
Is there a proxy client on each machine or is it just enabled to auto-detect
in the browser? Proxy client..eww. Auto-detect...no problem.
And trust me...PIX is much less vulnerable than MSProxy. I'm no MSProxy
expert so this may be wrong..but I would think it needs quite a few ports
opened to it if behind a firewall. I have no idea if any of the required
ports are exploitable but I'm sure you could find the list on MS
TechConnect.
Allen
----- Original Message -----
From: "Raees Ahmed Shaikh"
To:
Sent: Tuesday, July 10, 2001 1:07 AM
Subject: PIX Recommendations !!! [7:11651]
> Dear all,
>
> Thanks for all the suggestions and explanations. The main core reason for
> asking for the recommendations was, that I was not really sure about the
> critical balance between security and usability. Everybody know about the
> MS-Proxy and its vulnerabilities and its openness to attacks. We bought
the
> PIX just to secure our network from all those unknown vulnerabilities, I
> personally thought PIX box would be a nice buy. since it is less prone and
> has some built-in functionality to prevent such vulnerabilities. The
> question which I face now is production change without interrupting the
> business, and change of activities to our end-user, meaning to say the
> end-users should not feel that something has changed. Moreover the
> integration of the PIX with the current NT security model, the URL
filtering
> option, and various DNS records modifications made me think to keep the
> proxy in its place and add the PIX as the first line of defense.
>
> Internet-----------Router-----------PIX---------------MSPROXY---------LAN
>
> A simple question which always comes to my mind concerning security is
that,
> if the internet users have sessions to our MSproxy server and internal
> network, Isn't our internal network still vulnerable to those attacks
which
> were their prior putting the PIX. We have enabled Winsock apps on the
proxy,
> and lot of apps are been used by our LAN users. Was that PIX, worth a buy.
> etc etc.
>
> Still not sure how the final design will look like. Just putting more
time
> and research onto it.
>
> Thanks and Regards,
>
> Shaikh Raees
>
> [GroupStudy.com removed an attachment of type image/jpeg which had a name
of
> Glacier Bkgrd.jpg]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11711&t=11651
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
