> (gee... how many people are going to flame me this time! :-)
> This being said, I was wondering if anyone else got the impression that
> people are trying to make firewalls do more than they really should?
Yes, but... if you have a caching proxy in the DMZ it's effectively
part of the firewall (scenario: it gets hacked and someone starts
tracking your web accesses and feeding you disinformation), no?
I would recommend putting the HTTP cache inside, as just another internal
service. I'm running the CERN server behind the firewall as both a cache
and our internal web server. That way it's not exposed, and doesn't have
to be treated as a component of the security perimeter.