I'm just learning to fiddle with Firewall-1 but in their config they
offer the option to point to another http proxy from their proxy. You
need to run the CERN http proxy on another system but the firewall can
pass off to it after it's own rules are satisfied.
Yes, you have to shell out extra hardware bucks.
I would not want to muck around replacing my firewall vendors software
(well, not much and not yet....:) with public domain stuff. Beside the
old issue of not having a body to point a finger at I beleive the CERN
proxy is not meant as a firewall proxy. My understanding is that it is
meant to provide caching of http pages and URL's. It is not _likely_ to
be as simple or robust as a firewall's http proxy (from any vendor). Is
it designed to prevent inbound attacks and provide user authentication?
(tell me please, since I havn't played with it. Ignorant minds want to
know.)
OK, here's a drawing:
Inet----router----x---FW-1-----Interal net
|
|
CERN Proxy and DMZ
FW-1, Eagle, SmartWall and many other firewalls now support multiple
interfaces. Use one for the http cache proxy and DMZ (or use two+ for
DMZ's). The double hop to and from the proxy server is not a relevant
traffic load if your Inet link is a T-1. However, if your actual load
is approaching T-1 rates it keeps that 1.54 Mbs from being a double hit
on the other network interfaces. A lot of people also like to hang it
off the X, but why not use the tools the firewall vendors give you?
> Date: 22 Sep 96 13:08:59 EDT
> From: Ryan Russell/SYBASE <Ryan .
Russell @
sybase .
com>
> Subject: Re: Firewall-1 + CERN http proxy
>
> They certainly won't both run on the same machine, they'd
> be trying to listen on the same port..
>
> Ryan
>
> - ---------- Previous Message ----------
> To: firewalls
> cc: fletch
> From: fletcherc @ ttmc.com (Fletcher Cocquyt) @ smtp
> Date: 09/22/96 12:16:28 PM
> Subject: Firewall-1 + CERN http proxy
>
> Greeting Firewallers,
>
> Forgive me if this has been asked recently or is covered in some other
> FAQ, but I have a question regarding Firewall-1 and the CERN http proxy:
>
> Is it possible to substitute the CERN httpd which does caching for the
> Firewall-1 http proxy which does not do caching? If Sun's product did the
--
Adam Safier asafier @
csc .
com
CSC-SED-Infosec (301) 794-1349
Technology Abuse: Netscape Frames on a 14" screen.
Kerberos is a three headed bitch (just look carefully at the MIT logo:)
The above are my own opinions,
and I'm proud to live in a country where I'm free to express them!
|
|
