Re: masqerading vs. application proxy

From: Craig Holmes (Leusent@home.com)
Date: 09/29/01 

From: Craig Holmes <Leusent@home.com>
To: focus-linux@securityfocus.com
Subject: Re: masqerading vs. application proxy
Date: Fri, 28 Sep 2001 23:58:59 -0400
Message-Id: <01092823585900.00929@Weltall.gearbolt.net>

The difference is pretty much:

Using application proxies give you more control over what your internal users
do. If you setup an http proxy, then your users will only beable to use http.
Whereas a NAT firewall allows all connections throught it. with an http proxy
your internal users cannot use irc, realaudio, etc... if thats what you want.
 Note that, you can setup a firewall around your nat proxy, so that port
connections to any port but 80 will be denied, but note that someone might
just try changing the port on whatever computer they are trying to connect
to, to port 80. With an http proxy, that wouldnt work.

        Craig Holmes

 

On September 27, 2001 02:47 pm, Waldemar Brodkorb wrote:
> Hello *,
>
> I have a question about firewall's and security on linux.
>
> Is there an advantage to use application proxy's instead of a
> masqerading box to secure a LAN with private IP addresses from
> the dangerous internet.
>
> I don't mean danger from inside the LAN (which could be solved
> through user authentication, IP-based ACL's ...).
>
> When I have to allow users inside my network the use of IRC, ICQ,
> RealAudio/RealVideo or FTP (with a real FTP client), is then an
> application proxy more secure than masqerading?
>
> Under application proxy's I understand the use of squid
> (for http/ftp/https) or dante (for socks5 aware applications).
>
> thanks for any comments.
>
> bye
> Waldemar

Relevant Pages

  • Re: Transparent proxy failing
    ... machine A as the gateway on the network, and A takes requests to port ... The squid machine, A, doesn't handle HTTPS blocking. ... up a website, it goes right to the website, no filtering. ... IE on the client to specifically use the proxy setting of B's ip ...
    (Ubuntu)
  • Re: SSH Tunneling, view web site as though I am in the USA
    ... $ ssh -D 1080 me@us_server ... And then set your local web browser to proxy using socks 4 to server ... HTTP Proxy: localhost Port: 1080 ... Not http proxy, SOCKS 4 proxy. ...
    (comp.security.ssh)
  • Re: Fehlercode 502
    ... Wenn ich den Proxy umgehe, ... In der ISA Server Hilfe habe ich leider keine Infos gefunden, ... Gruß Detlef ... >> Port 8443). ...
    (microsoft.public.de.german.isaserver)
  • Re: Webproxy Konfiguration auf einem ISA 2006 Standard
    ... dann ist der Client noch SecureNAT Client?! ... Dann geht es auch ohne Proxy ... Hierbei habe ich die einzelne IP als Quelle angegeben und den ISA ... Freigegeben sind Port 80/443/8080. ...
    (microsoft.public.de.german.isaserver)
  • Re: bypassing employers proxy to surf anonymously
    ... When using SSH through the local proxy, it might be an idea to run the ... port 443, so it's harder to distinguish from an https server. ... Also, in case you're not aware, a proxy server on the other side ... Another method of tunneling would be through DNS. ...
    (Pen-Test)