I'm looking at a similar issue. The question is how do you go about
implementing the PIX without touching 1000 desktops and interrupting
business. I looked at this from a Boarder Manager perspective. Very
similar to Proxy but its a firewall as well. I would suggest you continue
to use the Proxy server as the default gate for your internal clients. Set
up access lists on the PIX to only accept connections from the proxy server
and any clients you are bypassing the Proxy. This should be pretty seemless
and still secure.
""Raees Ahmed Shaikh"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear all,
>
> Thanks for all the suggestions and explanations. The main core reason for
> asking for the recommendations was, that I was not really sure about the
> critical balance between security and usability. Everybody know about the
> MS-Proxy and its vulnerabilities and its openness to attacks. We bought
the
> PIX just to secure our network from all those unknown vulnerabilities, I
> personally thought PIX box would be a nice buy. since it is less prone and
> has some built-in functionality to prevent such vulnerabilities. The
> question which I face now is production change without interrupting the
> business, and change of activities to our end-user, meaning to say the
> end-users should not feel that something has changed. Moreover the
> integration of the PIX with the current NT security model, the URL
filtering
> option, and various DNS records modifications made me think to keep the
> proxy in its place and add the PIX as the first line of defense.
>
> Internet-----------Router-----------PIX---------------MSPROXY---------LAN
>
> A simple question which always comes to my mind concerning security is
that,
> if the internet users have sessions to our MSproxy server and internal
> network, Isn't our internal network still vulnerable to those attacks
which
> were their prior putting the PIX. We have enabled Winsock apps on the
proxy,
> and lot of apps are been used by our LAN users. Was that PIX, worth a buy.
> etc etc.
>
> Still not sure how the final design will look like. Just putting more
time
> and research onto it.
>
> Thanks and Regards,
>
> Shaikh Raees
>
> [GroupStudy.com removed an attachment of type image/jpeg which had a name
of
> Glacier Bkgrd.jpg]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11874&t=11651
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
