Hello,
The company I work for has decided to connect to the Internet using
a firewall solution. This is a rather long story, but after creating
a workgroup with people from IT Security, Systems Management and
Telecomunications, creating a Security Policy and contacting
several vendors, we decided to propose a solution integrating
several products, connected in series:
- A firewall using statefull inspection
- A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP)
- A proxy based access control aplication (for "URL censorship")
- A proxy based firewall
- A suite of auditing tools
With this we aimed at creating a screened subnet architecture, with
special focus on redundacy. We wanted to make sure that compromising
one of the elements of the solution, the others would still be able
to provide some measure of security and eventualy detect attacks
coming from the compromised element.
Someone else is proposing a cheaper solution, something like:
+------------+
| Statefull | |
Outside ----+ inspection +------+
networks | firewall | | +--------------+
+-----+------+ | | Dual-homed | |
| | | Netscape | | Internal
| +---+ Proxy Server +-----+ network
| | | HTTP, FTP, | |
+-----+-------+ | | Gopher | |
| Netscape | +--------------+
| Mail Server |
+-------------+
They say that Netscape proxy server gives some additional security,
complementing the firewall, so this would also be a redundant solution
and with the added benefit of reducing the number of licences I need
on the firewall.
I don't know this Netscape Proxy Server, but I feel that it can't act
as a real firewall. Can someone on the list comment on the relative
security of this cheaper solution?
Many thanks,
Paulo
+-------------------------------+---------------------------------------+
| Paulo Jorge Delgado | Internet: Paulo .
Delgado @
bta .
pt |
| Banco Totta & Acores | Office: +351-1-7922467 |
| Av. Miguel Bombarda 4, 7 | Fax: +351-1-7922481 |
| 1000 Lisboa | |
| Portugal | |
+-------------------------------+---------------------------------------+
|
|
