chuck, will you please attach a simple design showing us how and where you
recommend placing the proxy...lawrence
>From: "Chuck Larrieu" <[EMAIL PROTECTED]>
>Reply-To: "Chuck Larrieu" <[EMAIL PROTECTED]>
>To: "Rik Guyler" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>Subject: RE: Where do you put your proxy servers?
>Date: Mon, 6 Nov 2000 12:53:13 -0800
>MIME-Version: 1.0
>Received: from [208.32.175.78] by hotmail.com (3.2) with ESMTP id
>MHotMailBBD0672E00B8D821979AD020AF4E103724; Mon Nov 06 13:04:48 2000
>Received: from localhost (mail@localhost)by groupstudy.com (8.9.3/8.9.3)
>with SMTP id QAA01430;Mon, 6 Nov 2000 16:02:32 -0500
>Received: by groupstudy.com (bulk_mailer v1.12); Mon, 6 Nov 2000 15:57:38
>-0500
>Received: (from listserver@localhost)by groupstudy.com (8.9.3/8.9.3) id
>PAA00560GroupStudy Mailer; Mon, 6 Nov 2000 15:57:38 -0500
>Received: from valiant.cnchost.com (valiant.concentric.net
>[207.155.252.9])by groupstudy.com (8.9.3/8.9.3) with ESMTP id
>PAA00534GroupStudy Mailer; Mon, 6 Nov 2000 15:57:36 -0500
>Received: from ChuckHome.concentric.net (w008.z064220150.sjc-ca.dsl.cnc.net
>[64.220.150.8])by valiant.cnchost.comid PAA19522; Mon, 6 Nov 2000 15:53:14
>-0500 (EST)[ConcentricHost SMTP Relay 1.10]
>From [EMAIL PROTECTED] Mon Nov 06 13:06:51 2000
>Message-ID: <000601c04833$948bdd60$[EMAIL PROTECTED]>
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0
>In-Reply-To:
><[EMAIL PROTECTED]>
>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
>Importance: Normal
>Sender: [EMAIL PROTECTED]
>Precedence: bulk
>
>Any box can be compromised, be it router, firewall, or proxy server, and
>despite the religious war that generally erupts when you say it, any OS can
>be compromised, be it Unix, Solaris, Linux, or NT.
>
>Security is a matter of policy, and placement, and structure, and realistic
>risk assessment.
>
>Question - no matter what the box or function involved, should there be a
>single point of vulnerability, one which if compromised, provides an
>intruder direct access to your inside network? It does not matter if this
>single point is a dial up modem line, or a firewall, or anything else. Is
>this a risk worth taking?
>
>My instinct is that security should be implemented in degrees, and in
>areas.
>One should not design situations where the compromise of a single box puts
>someone on the inside. So in that respect I take your side. My opinion is
>that your associate would create a point of vulnerability where it is not
>necessary to do so.
>
>Chuck
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rik
>Guyler
>Sent: Monday, November 06, 2000 12:20 PM
>To: '[EMAIL PROTECTED]'
>Subject: Where do you put your proxy servers?
>
>I am in the midst of a debate with a coworker on where to put a proxy
>server
>in regards to firewall/security physical topology. I say to disable proxy
>services (if possible) and only use the content caching services, then put
>the box in the DMZ with other services, like DNS, email, etc. I like this
>topology better as the firewall can provide some security for these servers
>and I don't really need the proxy services as I typically will use NAT/PAT
>on the firewall.
>
>My coworker prefers to run the proxy server (proxy and content caching
>services both enabled) in parallel to the firewall rather than in the
>internal or DMZ networks, allowing all web surfing to bypass the firewall
>and not tie up bandwdith on the firewall. I don't like this as well as I
>feel the security is weakened by doing this. If it's possible to
>compromise
>the proxy server (which my coworker doesn't feel is possible), then it
>might
>be possible to compromise beyond that.
>
>I realize his way may improve firewall performance, but the PIX has never
>been short in this area and I want security to be top priority over
>performance.
>
>I have a fair amount of experience with this but I'm always open to
>alternative thinking. Please let me know what you think!
>
>Rik Guyler
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
