Um, I know this is probably stating the bleeding obvious...
I think the security of this sort of implementation revolves around
potential bypasses of the MS Proxy.
Let's imagine that the MS Proxy is inside the PIX (seems silly to do it the
other way around). Now, if you can get a packet through the PIX directly to
or from an internal host, then you don't have two layers at all - even if
most people configure their computers to use the Proxy server.
With the obvious clarification that MS Proxy doesn't do NAT (it's a proxy
server, yeah? It goes and gets things on the client's behalf. This is
distinct from rewriting and forwarding the original packet) then ideally I
would:
Set up the PIX for NAT from realIP <--> 192.168.x.x
Give the MS Proxy two NICs, one with a 192.168.x.x address (external) and
one with a 10.x.x.x address (internal)
Make sure no traffic can get straight from the PIX to 10.x.x.x (use rules if
you're a trusting soul, or run a xover cable from the PIX to the MS Proxy if
you're paranoid).
Make sure everyone on the LAN uses the MS Proxy.
It should be fail-closed if the Proxy server or the PIX dies (not that I've
thought this through a lot..)
There are some limitations, of course.
It's slower
Everyone needs to have the Winsock client thingy
Nobody can use any service that MS Proxy doesn't understand
Anyway, hope this clarfies things a little for you...
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct: +61 8 8422 8319 Mobile: +61 414 411 520
> -----Original Message-----
> From: Ward, Bryan [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 29, 1999 11:49 PM
> To: '[EMAIL PROTECTED]'; Ward, Bryan
> Cc: [EMAIL PROTECTED]
> Subject: RE: PIX and MS Proxy 2.0
>
>
> It will give you two levels of security. Have used it before
> and had no
> problem.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 29, 1999 9:54 AM
> To: Ward, Bryan
> Cc: [EMAIL PROTECTED]
> Subject: RE: PIX and MS Proxy 2.0
>
>
>
>
> Yes, I know I answered my question, but I was trying to find
> other way to
> resolve the problem. How good is to make NAT at a MS Proxy
> Server that at
> the
> same time is doing PAT with the FW?
>
> Regards,
> Matias Christensen.
> Networking Specialist
> Equant Argentina.
> +54-11-4349-0824
>
>
>
>
>
> "Ward, Bryan" <[EMAIL PROTECTED]> on 29/07/99 10:44:08
>
> To: Matias Christensen/Equant, [EMAIL PROTECTED]
> cc:
>
> Subject: RE: PIX and MS Proxy 2.0
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
