Personally, I like hardware solutions over software solutions. My company
recently ditched proxy in favor of border routers running the firewall IOS
and PIX's inside. One nice thing about the PIX is PAT (Port Address
Translation). We run several thousand IP addresses out to the Internet
using only 1 real IP. The downside for you will be that you will need to
reconfigure your clients proxy settings, since the PIX is not a proxy
server. The best way to do this is to just point your core routers to the
PIX as the gateway of last resort and as long as the clients can get to the
core, your ok.
Websense and the Cisco Cache engine also work very nicely with the PIX and
firewall IOS. I'm not sure I can agree on Private I being a great
monitoring tool, even though a lot of people like it. I've always had
issues with the reporting features. It does work nicely though, if all you
want is to collect syslog messages and be alerted to various events.
Brian Wilkins
Rik Guyler wrote:
>
> Remember that the Proxy server doesn't really provide security
> as such but
> rather content caching. Unfortunately the benefit is not that
> great for big
> pipes to the Internet and so its value is questionable. If you
> are using a
> somewhat slow link or your link is rather oversubscribed, than
> I would keep
> the proxy server to reduce the bandwidth requirements via
> caching.
>
> For your situation, I might consider keeping the proxy server
> in place
> regardless of your circuit bandwidth. You say you already have
> filtering
> software in place so why buy something else to handle the same
> requirement
> you're already fulfilling? Websense filters URL (HTTP only)
> content plus
> provides authentication via the NT database and creates a
> variety of
> reports. For the money, this is one of the best products out
> there (I
> know...I install this product quite frequently). A cache
> engine is a great
> product also but neither one comes cheap. Since you can
> already handle the
> caching and filtering, I wouldn't waste the money replacing
> them.
>
> You can use the MS RADIUS server, which is free (IIS option
> pack), but you
> still would be giving up the caching and URL filtering
> capabilities of your
> current Proxy server. I like John's overall solution the best
> but if the
> budget is limited, stay with the Proxy box and integrate it
> into the PIX
> solution.
>
> If you want content filtering, then go with
>
> ---
> Rik Guyler
>
> -----Original Message-----
> From: John Hardman [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, July 08, 2001 1:23 PM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX recommendations !!! [7:11336]
>
>
> Hi
>
> I had a very similar problem to solve at work myself.
>
> The recommendation I finally came up with to meet the business
> needs of...
>
> 1) Content filtering
> 2) Logging of Internet activity
> 3) Improved usage of Internet bandwidth
>
> So we used...
>
> 1) PIX 520 UR with fail-over
> 2) WebSense content filtering
> 3) And add a cache engine using WCCP
> 4) Added a Private I syslog server/analyzer for detailed usage
> reports
>
> If I also had the need to do authentication against an NT
> domain I would
> have also added Cisco Secure ACS and had it use the NT SAM as
> it's database.
> I guess you could also use the MS RADUIS server to authenticate
> against the
> domain, but I have never used this so I can not guarantee that
> it will work.
>
> HTH
> --
> John Hardman CCNP MCSE
>
>
> ""Raees Ahmed Shaikh"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi all,
> >
> > I just need some of the recommendations to install a PIX box
> 525 in our
> > network, currently we have MS proxy in our network, Should I
> replace proxy
> > with the PIX, or use two level of defense, comprising of
> PIX&Proxy. We
> have
> > some application level url filtering software running on that
> proxy as
> well.
> > Moreover the MS-proxy is using the NT Domain Security Model
> and thus using
> > cut-through proxy feature, can that security be available if
> I go on, with
> > PIX. Without the Ms-proxy is it possible to use the same NT
> database for
> > cut-through authentication.
> >
> > Some helpful tips please which will help me in the designing
> process.
> >
> > Thanks in advance and Best Regards,
> >
> > Shaikh Raees,
> >
> > CCNP,CCNA,CCDA,MCSE,MCP,CNE,CCIE Written.
> >
> > [GroupStudy.com removed an attachment of type image/jpeg
> which had a name
> of
> > Glacier Bkgrd.jpg]
>
>
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11634&t=11336
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
