Firewalls: Re: http proxy on firewall

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: http proxy on firewall
From:	"Bryan D. Boyle" <bdboyle @ maverick . erenj . com>
Date:	Wed, 5 Apr 1995 22:16:00 -0400 (EDT)
To:	"Jon E. Price" <jon @ nytimes . com>
Cc:	firewalls-digest @ greatcircle . com, baim @ itg . viacom . com, stan @ nytimes . com, gordy @ nytimes . com, dgbrown @ nytimes . com, theresa @ nytimes . com
In-reply-to:	<9504060113 . AA14179 @ mailgate . nytimes . com>
Posted-date:	Wed, 5 Apr 1995 22:16:00 -0400 (EDT)

Why not run the proxy on the wall?

1) most proxies have holes large enough for your delivery trucks to drive 
through in terms of access privs, etc. etc.  Do you want large, monolithic
programs running on the firewall?  No.

2) processor gets eaten up by the proxy server.  big, complex program=
big, complex cpu usage.

3) firewall is a choke point, not a common access point.  One is 
providing a service, the other security.  COmpartmentalization means that 
weaknesses in one will have a minimal impact on the other.  

4) You don't have to run the server on the wall.  It supports socks.  
Socks was designed to run on a firewall and provide the requisite service 
(security, address masking, validation, etc.).  Proxy servers were 
designed to serve documents.

5) Configuration, based on changes in your network, of the proxy mean 
that the system should be easily accessable to make those changes.  A 
firewall should not be changed at the same rate or for the same trivial 
reasons.  

6) It is easier.

(want more?)

Bryan D. Boyle           |The Moving Finger writes,and having writ, moves on.
#include <disclaimer>    |Nor all your Piety nor Wit can call it back to cancel
EMAIL: bdboyle @
 erenj .
 com |Half a line, or all your tears wash out a Word of it.
--------------http://www.access.digex.net/~bdboyle/index.html---------------

On Wed, 5 Apr 1995, Jon E. Price wrote:

> 
> Why is running the http  proxy "on" the firewall "not recommended".
> 
> Jon
> 
> 
> >From: "Bai, Mario" <BAIM @
 itg .
 viacom .
 com>
> >Date: Wed, 05 Apr 95 15:11:00 PDT
> >Subject: FW: Proxy WWW through firewall
> 
> >Put the proxy *behind* the firewall, point the clients to it and >proxy over 
> >the firewall (using something like socks) .... or *not recommended* >run the 
> >proxy on the firewall, and point the clients to it.  Why did you >decide to 
> >put the proxy outside the firewall?
> 
> ---------------------------------------------------------------
> "Beware of bargains in bypass surgery, bungee jumping, and quality printing"
> 
> Jon E. Price
> Systems Analyst
> Publishing Systems
> The New York Times
> ---------------------------------------------------------------
> 
>

Follow-Ups:

Re: http proxy on firewall
From: jgt10 @ amdahl . com (John G. Thompson)

References:

http proxy on firewall
From: jon @ nytimes . com (Jon E. Price)

Indexed By Date	Previous:	How to reach CheckPoint Software From: Emily Cohen <CBSF/CBSF/COHENE%Copithorne_&_Bellows_Public_Relations @ mcimail . com>
Indexed By Date	Next:	downloading From: "R.S." <rainas @ efn . org>
Indexed By Thread	Previous:	http proxy on firewall From: jon @ nytimes . com (Jon E. Price)
Indexed By Thread	Next:	Re: http proxy on firewall From: jgt10 @ amdahl . com (John G. Thompson)