This is the same configuration that I presently setup and it works well.
I just have one concern, Internet webservers have a direct connection to
my proxy server which lies in the internal network. If it were somehow
possible to send commands to the proxy server to be executed (through a
bug in the proxy server, etc.) then effectively my whole internal
network is compromised. A telnet session would never be achived due to
the firewall but that is not always necessary. Is there anything I can
do about this besides tightening security on the proxy server and
keeping the proxy server up to date? Would it be smart to put the proxy
in an Extranet (which, of course, complicates the firewall
configuration)? Am I overstating this potential problem? I understand
that security is relative but I would like to do as much as is practical
and affordable (two more relative words).
--
Best Regards,
Neil Hare
System & Network Support
> Date: Tue, 29 Jun 1999 13:25:36 -0500
> From: "Jay Schulman" <[EMAIL PROTECTED]>
> Subject: RE: HTTP Proxy and FW
> This is a common misconception. One of our network guys insists that
> the proxy server go "around" the firewall.
>
> Just setup your firewall policy to allow only the proxy to perform
> http requests (any ftp, etc). This forces users to use the proxy. In
> this case you are using the proxy for bandwidth savings and more
> enhanced logging/prevention capabilities. The security is based in
> the firewall.
>
> The "proxy" call just means that the web server is making the request
> rather than the individual PC.
>
> Hope this helps.
>
> - - -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Carric Dooley
> Sent: Tuesday, June 29, 1999 10:45 AM
> To: Firewalls List
> Subject: HTTP Proxy and FW
>
> [snip]
>
> Here is where I am not totally sure after thinking about it. Can the
> proxy server have just one NIC (then how does it proxy?) or do I have
> to
> subnet the firewall from my Proxy server and put two NIC's in it?
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
