[fw-wiz] Query: Why bother with an application proxy over stateful packet filtering?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Experts,

I am interested in knowing ore about network access control via various
kinds of firewalls.

I am wondering why would the be a need to web up a proxy such as a web
proxy (Squid) instead of just using a stateful packet filtering firewall
(iptables) only in a network?

I realise SQUID provide caching but leaving that aside and focusing on
the security policy aspects what advantages can it offer over a general
purpose firewall?

My initial research/reading in to Squid for example seems to suggest
that Linux iptables can cover all of Squids functionality such as ACL
via ports and ip address range, protocol type, deep packet inspection
etc etc.

One thing however I see squid can do is provide access control by an
end-user where as iptables seems only to provide this at a host machine
level.

But, i see iptables has the --owner matching along with --string
matching and also has a layer-7 module now.

I am just trying to get a feel for why one would be used over another.

Also, are web proxy's used in conjunction with firewalls or in place of
a firewall.

I presume a bastion style host proxy with a firewall is the usual setup:

LAN --> squid proxy --> iptables ---> internet

or even a multi-homed device:

LAN --> [proxy and firewall] --> internet

regards,
Will.


- --
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG0tocIcwlebz1MmwRAvwOAJ93bgxR71YoQyfc8j97bNP7nM/N2gCg7Mwe
uX7Oi+/dg8hZTL/iTrRFBcA=
=MKS+
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Squid+Privoxy or Snort?
    ... >>Squid can be used if you redirect all web traffic through the squid ... > squid as a firewall only isnt very smart. ... The proxy should speed up access if the same sites are being hit, ... incoming mail. ...
    (freebsd-questions)
  • Re: Can any Squid gurus help me?
    ... Okay on setting up the Linux server as the main firewall/router. ... You can setup squid either as a transparent proxy. ... listens on a specific port like 8080, ... I have my server setup with a basic set of firewall rules that only lets ...
    (alt.os.linux.suse)
  • Re: Blocking users from using web proxies
    ... file proxy but as it has much more features than just that I thought ... I managed to get squid to deal with at least some ... anonymous proxies by keyword filter rules. ... About the only way to be certain is to run the Squid box 2-NIC i.e. as a firewall. ...
    (microsoft.public.windows.server.sbs)
  • Need Freeware Firewall applicance.
    ... Do I need to go a Linux route with iptables / squid manually built by hand. ... Configure OS / IP-Tables / FW-builder / SQUID or some equivalent solutions or are there already free canned distro/appliances that will let me remotely push a firewall policy onto this machine and manage its proxy settings from a remote location. ...
    (comp.security.firewalls)
  • Re: Kernel Upgrade Help needed!
    ... Now if I am not mistaken it is not the firewall like somebody mentioned. ... in my case it just goes like zzzzt and saves only 1 kb and says download ... I know for sure it is squid in my case because if I login to the server ...
    (Fedora)