RE: Proxy & Firewall Implementation

From: Conlan Adams (conlan_at_mebtc.org)
Date: 01/13/05

  • Next message: miguel.dilaj_at_pharma.novartis.com: "Re: Proxy & Firewall Implementation" 
    Date: Thu, 13 Jan 2005 13:56:45 -0500
To: "John" <naverxp@yahoo.com.sg>, <security-basics@securityfocus.com>

    If they want to implement a proxy server, with the intent of keeping an
    eye on or restricting traffic, what works well is to put it on the main
    network behind the firewall, and allow only port 80 and 443 traffic to
    go through the firewall from that machine. That way if anyone tries to
    remove the proxy settings they cant get out.

    Another suggestion on the firewall front, check out the watchguard
    products, if it's a decent size network (50-100 users or more) they are
    a very nice option.

    The reason some folks put all of their externally available servers
    outside the network in a dmz, is to protect the rest of the network
    incase something gets compromised. There are good and bad things to
    that. Another option, is put a mail relay in the dmz, do the spam and
    virus sifting on that machine then have it forward into the internal
    network for speed of access.

    Good luck

    Conlan Adams

    -----Original Message-----
    From: John [mailto:naverxp@yahoo.com.sg]
    Sent: Wednesday, January 12, 2005 8:04 PM
    To: security-basics@securityfocus.com
    Subject: Proxy & Firewall Implementation

    Hi

    I'm a fresh graduate in System Administrator field. Recently, with much
    of luck, i was recommended to a company to implement a firewall system
    to their network infrastructure. I hope to pick some experience from
    this forum as to how people in here might consider different
    circumstances when placing their proxy server inside a protected network

    (behind the firwall) or before the firewall. Would i need two firewalls?

    (i'm considering the Cisco FW, and CyberGuard FW).

    During my research, i found a documentation written by a blackhat whom
    suggested to allocate DMZ most of my services (httpd, mail, etc) outside

    the internal network and make redundancies everynight. My 2nd question,
    why did he suggested that? why expose my services outside the network
    where my information are Live and exposed to the risk of being
    compromised.

    John

  • Next message: miguel.dilaj_at_pharma.novartis.com: "Re: Proxy & Firewall Implementation"

    Relevant Pages

    • Ang: RE: Firewall and DMZ topology
      ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
      ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
      (comp.security.firewalls)
    • Re: Firewall and DMZ topology
      ... > network, Windows and Linux. ... > laptop used as a simple firewall setup. ... > machine and placing it in a DMZ. ... > internal network, one for the DMZ and one for the Internet. ...
      (Security-Basics)
    • RE: Basic Network Configuration
      ... > IMHO the second rule is void, since no traffic should bypass the DMZ. ... that originates from your internal network. ... There is no point in implementing the same firewall ... >> really achieve this benefit if the boxes run different OS ...
      (Security-Basics)
    • RE: Security from VPN connections
      ... You could also put you internal VPN interface out side of the firewall on ... through that DMZ into your internal network. ...
      (Security-Basics)