Remember that the Proxy server doesn't really provide security as such but
rather content caching. Unfortunately the benefit is not that great for big
pipes to the Internet and so its value is questionable. If you are using a
somewhat slow link or your link is rather oversubscribed, than I would keep
the proxy server to reduce the bandwidth requirements via caching.
For your situation, I might consider keeping the proxy server in place
regardless of your circuit bandwidth. You say you already have filtering
software in place so why buy something else to handle the same requirement
you're already fulfilling? Websense filters URL (HTTP only) content plus
provides authentication via the NT database and creates a variety of
reports. For the money, this is one of the best products out there (I
know...I install this product quite frequently). A cache engine is a great
product also but neither one comes cheap. Since you can already handle the
caching and filtering, I wouldn't waste the money replacing them.
You can use the MS RADIUS server, which is free (IIS option pack), but you
still would be giving up the caching and URL filtering capabilities of your
current Proxy server. I like John's overall solution the best but if the
budget is limited, stay with the Proxy box and integrate it into the PIX
solution.
If you want content filtering, then go with
---
Rik Guyler
-----Original Message-----
From: John Hardman [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 08, 2001 1:23 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX recommendations !!! [7:11336]
Hi
I had a very similar problem to solve at work myself.
The recommendation I finally came up with to meet the business needs of...
1) Content filtering
2) Logging of Internet activity
3) Improved usage of Internet bandwidth
So we used...
1) PIX 520 UR with fail-over
2) WebSense content filtering
3) And add a cache engine using WCCP
4) Added a Private I syslog server/analyzer for detailed usage reports
If I also had the need to do authentication against an NT domain I would
have also added Cisco Secure ACS and had it use the NT SAM as it's database.
I guess you could also use the MS RADUIS server to authenticate against the
domain, but I have never used this so I can not guarantee that it will work.
HTH
--
John Hardman CCNP MCSE
""Raees Ahmed Shaikh"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi all,
>
> I just need some of the recommendations to install a PIX box 525 in our
> network, currently we have MS proxy in our network, Should I replace proxy
> with the PIX, or use two level of defense, comprising of PIX&Proxy. We
have
> some application level url filtering software running on that proxy as
well.
> Moreover the MS-proxy is using the NT Domain Security Model and thus using
> cut-through proxy feature, can that security be available if I go on, with
> PIX. Without the Ms-proxy is it possible to use the same NT database for
> cut-through authentication.
>
> Some helpful tips please which will help me in the designing process.
>
> Thanks in advance and Best Regards,
>
> Shaikh Raees,
>
> CCNP,CCNA,CCDA,MCSE,MCP,CNE,CCIE Written.
>
> [GroupStudy.com removed an attachment of type image/jpeg which had a name
of
> Glacier Bkgrd.jpg]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11371&t=11336
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
