[ale] Proxy Servers and Firewalls

SAngell at nan.net SAngell at nan.net
Thu Jun 21 10:19:05 EDT 2001




I will try to give you my take on this issue with regards to how I am utilizing
both. A proxy server CAN function as a firewall; however, poorly. A proxy server
is used primarily to mask numerous users behind a single IP and is primarily for
users to gain access to a service or services located on a separate network. In
your case the internet. Also a proxy can speed html access by caching pages to
disk. Therefore pages that are constantly being accessed can be pulled from your
proxy rather than go out to the actual web server each time. You set the time
limits on caching. Also you can control who has access to the web from you lan
and what services can be used. Proxies do function as somewhat of a firewall by
nature by masking all address coming from your internal network with its own
address.

Firewalls on the other hand are primarily designed to keep traffic out. Based on
source or destination IP as well as down to the port level. I even use NAT to
mask the true IP of my servers. The address people hit from the internet is a
phantom. It does not exist.

Basically the question is what do you want to accomplish. If your primary
concern is the safety of your network then go with a firewall. If you want to
provide services to your internal users while providing some degree of safety to
you network then use a proxy. I would have to recommend using both. Along with
some form of Intrusion Detection System.

My current setup consists of:

4 web servers and 4 e-mail servers and my Proxy Server in a DMZ protected by
Checkpoint Firewall . In addition I am using ISS RealSecure with various sensors
placed fore and aft of Firewall and host sensors on all critical systems. I am
dropping all packets FROM the internet ,with Firewall ruleset,  with the
execption fo those to ports used by my servers, 7 different ports is all I
allow. Traffic going out from Proxy is limited to 5 ports.

If you choose to go with a firewall always keep in mind that your first rule
should be an implicit deny! This closes ALL ports. Then you open the specific
ones you want to allow. If you would like a generic diagram of how I have this
set up  let me know I can send you a diagram in html format.

Steve Angell,  MCSE, CCNA
MIS Operations Manager
TSYS Total Debt Management
Phone 770-409-5570
Fax      770-416-1752


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list