Neil,
Most proxy servers I've come in contact with have really
neat buffer overflow bugs.
My advice would be to place it in the DMZ, this way
your proxy is somewhat protected from the Bad Guys(tm),
and your internal network is protected from the
proxy server.
That's what I usually do.
- Even if you're convinced that your proxy server
is secure, every layer of toilet paper counts in my
opinion. :-)
Hey, wait, let's chuck everyone using a browser
in the DMZ and be rid of the problem!
- Ehhhh..? ;-)
/Mike
Neil Hare wrote:
>
> This is the same configuration that I presently setup and it works well.
> I just have one concern, Internet webservers have a direct connection to
> my proxy server which lies in the internal network. If it were somehow
> possible to send commands to the proxy server to be executed (through a
> bug in the proxy server, etc.) then effectively my whole internal
> network is compromised. A telnet session would never be achived due to
> the firewall but that is not always necessary. Is there anything I can
> do about this besides tightening security on the proxy server and
> keeping the proxy server up to date? Would it be smart to put the proxy
> in an Extranet (which, of course, complicates the firewall
> configuration)? Am I overstating this potential problem? I understand
> that security is relative but I would like to do as much as is practical
> and affordable (two more relative words).
>
> --
> Best Regards,
>
> Neil Hare
> System & Network Support
>
> > Date: Tue, 29 Jun 1999 13:25:36 -0500
> > From: "Jay Schulman" <[EMAIL PROTECTED]>
> > Subject: RE: HTTP Proxy and FW
> > This is a common misconception. One of our network guys insists that
> > the proxy server go "around" the firewall.
> >
> > Just setup your firewall policy to allow only the proxy to perform
> > http requests (any ftp, etc). This forces users to use the proxy. In
> > this case you are using the proxy for bandwidth savings and more
> > enhanced logging/prevention capabilities. The security is based in
> > the firewall.
> >
> > The "proxy" call just means that the web server is making the request
> > rather than the individual PC.
> >
> > Hope this helps.
> >
> > - - -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Carric Dooley
> > Sent: Tuesday, June 29, 1999 10:45 AM
> > To: Firewalls List
> > Subject: HTTP Proxy and FW
> >
> > [snip]
> >
> > Here is where I am not totally sure after thinking about it. Can the
> > proxy server have just one NIC (then how does it proxy?) or do I have
> > to
> > subnet the firewall from my Proxy server and put two NIC's in it?
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
