From: sangster @
net (Paul Sangster)
Date: Tue, 31 Oct 1995 07:58:20 +0500
Subject: Re: WWW & Proxy Servers
> In article <Chameleon .
|> Apologies if the following questions has been asked before - if they
|> find them !
|> i) Is/Are there any proxy servers for WWW to restrict access to the WWW
|> a username basis AND to further restrict use of 'sub-protocols' supported
|> by WWW such as ftp, gopher ... again on a username basis ?
I recently dealt with this and found out that only ANS supported such a
system (at least they were the only ones to respond to my v-mail, e-mail and
letters). A few manufacturers claimed to have something in the works but
many of them have been selling non-existent features such as e-mail scanning
and virus protection for some time. Other vendors may have this feature by
now but make sure that you aren't getting vapor-ware.
I also have a general problem with the concept of keeping passwords on my
firewall. I know these will only be used for outgoing traffic but those
same passwords will be used by users to access everything else. ANS had to
keep the passwords on the firewall at that time but you might want to check
with them anyway. I couldn't use ANS anyway because my customer went out
and purchased a Gauntlet before defining all of the needs.
The solution that we found was a Netscape Proxy Server. This assumes that
you are using Netscape and allows the passwords to be kept on a separate
box. You also gain all of the performance advantages of the Netscape Proxy
Server. We used the configuration below.
Traffic is only allowed to go between the firewall and the proxy and the
proxy and the screen. No direct traffic is allowed. I like this method for
security. This also has some advantages with the logs. The security
manager is mainly concerned with someone trying to get in and the Gauntlet
logs give him that information quite well. The administrators are
interested in user ID, passwords and traffic and can get those logs from the
proxy. The security guys only need to manage the firewall and the
administrators only need to manage the proxy.
Download the Netscape proxy and check it out. We have ours running on
FreeBSD but are converting it to BSDI (some people like to spend money).
Steve Moubray DCC, Inc.
(612) 378-4469 Fax (612) 378-4401