Re: OT: Hardware proxy?
At 02:47 PM 7/21/99 -0700, Harry Whitehouse wrote: Is there an industrial-strength proxy available commerically which only permits 443 traffic? I know I could get something like MS Proxy Server software and run it on an NT, but the stream of security patches I get from MS regarding NT isn't particularly calming to me -- suppose someone hacks my proxy NT? So is there something more basic -- perhaps a dedicated hardware device -- which would do this job? Harry, It *sounds* like you are describing a 'network appliance firewall'. We sell and have had excellent experience with the Firebox II, from WatchGuard (www.watchguard.com). Moderate cost ($5K), stand-along bright red box - no OS troubles (though it is Linux based), no separate hardware, *really* straightforward management from your admin console, realtime security updates (daily). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OT: Hardware proxy?
Leland -- I scanned your site and Watchguard's. Both look very interesting and relevant to my needs. We are in the early design phases of a super secure, rather high volume (perhaps 1M hits/8 hr day) environment. The transactions are quite simple. An incoming HTTPS query of about 150 bytes. The response from the secure service is also about 150 bytes long. The HTTPS query will be handled by a farm of NT servers running IIS. We are using ISAPI DLL's (which run under IIS) to handle the HTTPS request. This is the ONLY type of traffic which will traverse the firewall. There will be no need for PC's inside this secure network to browse or access the Internet. The network will be ENTIRELY dedicated to these secure transactions. So what I need Firewall II to do is a). Permit these HTTPS transactions. b). Exclude all other port traffic. c). Provide absolutely no access to the internal NT farm except via the aforementioned HTTPS transactions. d). Perhaps provide protection against denial of service attacks (if that's possible with such a device). e). Be certain that Firewall II can not be hacked or administered by outside parties. Are we are the right track with FireWall II? How do I provide system reduncancy -- with two units running in parallel? TIA Harry (yet other Ph.D.! Mechanical Engineering) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Leland V. Lammert Sent: Thursday, July 22, 1999 9:07 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: OT: Hardware proxy? At 02:47 PM 7/21/99 -0700, Harry Whitehouse wrote: Is there an industrial-strength proxy available commerically which only permits 443 traffic? I know I could get something like MS Proxy Server software and run it on an NT, but the stream of security patches I get from MS regarding NT isn't particularly calming to me -- suppose someone hacks my proxy NT? So is there something more basic -- perhaps a dedicated hardware device -- which would do this job? Harry, It *sounds* like you are describing a 'network appliance firewall'. We sell and have had excellent experience with the Firebox II, from WatchGuard (www.watchguard.com). Moderate cost ($5K), stand-along bright red box - no OS troubles (though it is Linux based), no separate hardware, *really* straightforward management from your admin console, realtime security updates (daily). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OT: Hardware proxy?
Leland -- I scanned your site and Watchguard's. Both look very interesting and relevant to my needs. We are in the early design phases of a super secure, rather high volume (perhaps 1M hits/8 hr day) environment. The transactions are quite simple. An incoming HTTPS query of about 150 bytes. The response from the secure service is also about 150 bytes long. The HTTPS query will be handled by a farm of NT servers running IIS. We are using ISAPI DLL's (which run under IIS) to handle the HTTPS request. This is the ONLY type of traffic which will traverse the firewall. There will be no need for PC's inside this secure network to browse or access the Internet. The network will be ENTIRELY dedicated to these secure transactions. On a "here's an alternative just for the hell of it basis": Outside World | Packet Filtering Firewall (443 only) | SSL Layer proxy} | } These could actually be one unit, but I don't know of Caching proxy } any that will do both jobs | | | | | | | HTTP server farm Benefits: - Multiple security layers. Packet filtering, then application-level firewalling via the proxies (Allowing you to block potential hacks before they even get to your servers) then the servers themselves. In the case of a recently publicised IIS problem which could be accessed via a specific set of urls, such a setup allows you to simply block, log, and move on within moments of knowing about it. A suitable set of access rules for your site could well mean that you block future hacks before they've even been discovered. - Higher performance levels. The caching proxy below the SSL link means that your web servers will not have to serve up images or static content, you get a rapid in-memory response (known as an http-accelerator) Costs: - More potential points of failure. Failover on the proxy box is necessary. - SSL can be fairly CPU intensive, SSL proxy must be fast and solid. - A bit more work to set up :) Note that in your case, you specified a small request and reply, so this structure may not apply particularly well (Maybe you're not serving any static content :) Also note that 1mil hits in 8hrs should be servable in HTTP by no more than 3 decent boxes. You may want one more for failure tolerence. I have yet to evaluate the cost of HTTPS on a connection. Richard. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]