I've never used proxy based firewalls myself so I can only discuss this from a theoretical perspective. Proxy have the advantage that you never directly expose the application on your sensitive hosts to internet traffic. Clients will only have direct access to the proxy server, which, being a well written (and relatively simple) security product should be less vulnerable to attacks then the actual server (which is more complex and likeley written by less security conscious application developers). While there's probably a lot of stuff that a proxy can't gaurd against (ie flaws in the protocol or implementation that allow well formed data to be used as an exploit) it should protect you from attacks taht use badly formed data (since the proxy server should only resend well formed data to your actual server). Please understand I am by no means an expert on this and what I described above is based on my understanding of how proxies work (read protocal data in, validate it, and regenerate identical protocol data to send to the actual server). If that is wrong then my argument lacks merit. Regards, Sheer On Tue, 20 Nov 2001, Eric Daigneault wrote: > At 10:00 AM scouby@vacv.com -0500, you wrote: > > Ok, sorry, I was trying to make short n sweet ! > > Ok, for the purpose of the situation, let's consider I'm pretty good in > securtity architecture and > firewalling. > > I've never been a fan of the proxying technologie, for a lot of reasons ! > And I have never used any on the architectures I have built before. > > Let consider a architecture looking like the plan1 attach here ! > > If i put my mail server in the local DMZ, there is two way to make it > accessible from the internet, POT (Port Adress Translation) or by proxy. > The same if I want to let the user access the web (80). I can make it > straight out with filtering or by proxy... And so go on for every > single internet services ! > > So, now i'm asking, why should I use a proxy... Is it really better, or not ? > > > > >Eric, > > > > > I'm working on a security architecture, and I need some opinions ! > > > > > > It's simple... with or without proxy ! > > > >You'll really need to do some research before someone can give you an > >educated response. The term "proxy" is very broad and depends on your > >environment, users, bandwidth, should be part of a firewall system, etc. > > > >Start by reading the firewalls FAQ: > >http://www.linuxsecurity.com/resource_files/firewalls/fwfaq/firewalls-faq.html > > > >Best, > >Dave > > > >-- > >Dave Wreski > >Corporate Manager Guardian Digital, Inc. > >(201) 934-9230 Pioneering. Open Source. Security. > >dave@guardiandigital.com http://www.guardiandigital.com > >------------------------------------------------------------------------ > > To unsubscribe email security-discuss-request@linuxsecurity.com > > with "unsubscribe" in the subject of the message. > > Eric Daigneault > Administrateur Systemes > Vacances Air Canada > > -- Play with the best, die like the rest -- > > -- Binary/unsupported file stripped by Listar -- > -- Type: application/msword > -- File: Plan 1.doc > > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
