I am in the midst of a debate with a coworker on where to put a proxy server
in regards to firewall/security physical topology. I say to disable proxy
services (if possible) and only use the content caching services, then put
the box in the DMZ with other services, like DNS, email, etc. I like this
topology better as the firewall can provide some security for these servers
and I don't really need the proxy services as I typically will use NAT/PAT
on the firewall.
My coworker prefers to run the proxy server (proxy and content caching
services both enabled) in parallel to the firewall rather than in the
internal or DMZ networks, allowing all web surfing to bypass the firewall
and not tie up bandwdith on the firewall. I don't like this as well as I
feel the security is weakened by doing this. If it's possible to compromise
the proxy server (which my coworker doesn't feel is possible), then it might
be possible to compromise beyond that.
I realize his way may improve firewall performance, but the PIX has never
been short in this area and I want security to be top priority over
performance.
I have a fair amount of experience with this but I'm always open to
alternative thinking. Please let me know what you think!
Rik Guyler
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
