Firewalls: Re: WWW & Proxy Servers

Firewalls
(November 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: WWW & Proxy Servers
From:	"Moubray, Steve" <SMOUBRAY @ dcc . com>
Date:	Sun, 5 Nov 1995 19:19:00 -0600
To:	"'firewalls @ greatcircle . com'" <firewalls @ GreatCircle . COM>
Encoding:	72 TEXT

From: sangster @
 reston .
 ans .
 net (Paul Sangster)
Date: Tue, 31 Oct 1995 07:58:20 +0500
Subject: Re: WWW & Proxy Servers

> In article <Chameleon .
 4 .
 01 .
 2 .
 951004133621 .
 stuart @
  .
 ans-relay>,
stuart @
 loddon .
 demon .
 co .
 uk writes:
|> Apologies if the following questions has been asked before - if they 
have,
 I can't
|> find them !
|>
|> i) Is/Are there any proxy servers for WWW to restrict access to the WWW 
on
|> a username basis AND to further restrict use of 'sub-protocols' supported
|> by WWW such as ftp, gopher ... again on a username basis ?
_____________________________

I recently dealt with this and found out that only ANS supported such a 
system (at least they were the only ones to respond to my v-mail, e-mail and 
letters).  A few manufacturers claimed to have something in the works but 
many of them have been selling non-existent features such as e-mail scanning 
and virus protection for some time.  Other vendors may have this feature by 
now but make sure that you aren't getting vapor-ware.

I also have a general problem with the concept of keeping passwords on my 
firewall.  I know these will only be used for outgoing traffic but those 
same passwords will be used by users to access everything else.  ANS had to 
keep the passwords on the firewall at that time but you might want to check 
with them anyway.  I couldn't use ANS anyway because my customer went out 
and purchased a Gauntlet before defining all of the needs.

The solution that we found was a Netscape Proxy Server.  This assumes that 
you are using Netscape and allows the passwords to be kept on a separate 
box.  You also gain all of the performance advantages of the Netscape Proxy 
Server.  We used the configuration below.

Outside
Router
   |
   -----Services
   |
Firewall
   |
   |
   -----Proxy
   |
   |
Screen
   |
   |
Internal
Network

Traffic is only allowed to go between the firewall and the proxy and the 
proxy and the screen.  No direct traffic is allowed.  I like this method for 
security.  This also has some advantages with the logs.  The security 
manager is mainly concerned with someone trying to get in and the Gauntlet 
logs give him that information quite well.  The administrators are 
interested in user ID, passwords and traffic and can get those logs from the 
proxy.  The security guys only need to manage the firewall and the 
administrators only need to manage the proxy.

Download the Netscape proxy and check it out.  We have ours running on 
FreeBSD but are converting it to BSDI (some people like to spend money).

 -------------------------------------
Steve Moubray     DCC, Inc.
(612) 378-4469    Fax (612) 378-4401
smoubray @
 dcc .
 com  http://www.dcc.com/

Indexed By Date	Previous:	OTPs: clarification From: "Marcus J. Ranum" <mjr @ iwi . com>
Indexed By Date	Next:	Java(tm) security documentation From: Mike Shaver <shaver @ neon . ingenia . com>
Indexed By Thread	Previous:	Re: OTPs: clarification From: peter @ nmti . com (Peter da Silva)
Indexed By Thread	Next:	Re: WWW & Proxy Servers From: Frederick M Avolio <avolio @ trusted . com>