[I've removed all recipients except Ted and the firewalls list--this
isn't really Cisco-related. I've also reformatted his post to be more
readable.]
Ted Mittelstaedt <tedm @
portsoft .
com> writes:
> One thing that I have always disliked about TIS is it's reliance on
> proxies. This, of course, breaks all command-line programs under
> Windows, DOS, and requires an expensive (in manpower, that is)
> reconfiguration on every client.
Most modern proxy firewalls, including modern versions of TIS Gauntlet
(though not the free FWTK, it's true), use transparent proxies, which
require no reconfiguration on the client.
> It is also unsafe, as it requires authentication to the proxy host
> itself internally, for ftp and mail, etc.
Explain how this is 'unsafe'.
> A much more modern and cleaner solution is to use network address
> translation, in conjunction with a very restricted access list on
> the NAT. NAT is available on Linux as well, referred to as IP
> masquerading. It also makes it impossible for a remote host to
> break a client on a NAT network (unless the NAT box itself is
> compromised) because you use RFC-unassigned internally, which is
> unroutable on the Internet.
Proxy firewalls can give you a NAT-equivalent as well--since the
firewall's external interface originates all outgoing connections,
there's nothing to prevent you using private addresses for your
internal network. In addition, proxies can give you finer-grained
control (such as protocol-level filtering, the ability to selectively
block Java, etc) than either NAT+packet filtering or 'stateful
inspection'. NAT can also run into problems with protocols such as
FTP which embed IP addresses in the payload portion of packets (not
that it can't be done, but it takes a bit of code for each such
protocol).
All of the above technologies are useful; you have to know the
advantages and disadvantages of each and apply that knowledge to the
problem at hand.
-Doug
--
sub g{my$i=index$t,$_[0];($i%5,int$i/5)}sub h{substr$t,5*$_[1]+$_[0],1}sub n{(
$_[0]+4)%5}$t='encryptabdfghjklmoqsuvwxz';$c='fxmdwbcmagnyubnyquohyhny';while(
$c=~s/(.)(.)//){($w,$x)=g$1;($y,$z)=g$2;$w==$y&&($p.=h($w,n$x).h($y,n$z))or$x==
$z&&($p.=h(n$w,$x).h(n$y,$z))or($p.=h($y,$x).h($w,$z))}$p=~y/x/ /;print$p,"\n";
References:
|
|
