> From: sdw @
lig .
net (Stephen D. Williams)
> Date: Wed, 5 Apr 1995 17:08:29 +0000 (GMT)
> Subject: Re: FW: Proxy WWW through firewall
>
> >
> >
> > Put the proxy *behind* the firewall, point the clients to it and proxy over
> > the firewall (using something like socks) .... or *not recommended* run the
> > proxy on the firewall, and point the clients to it. Why did you decide to
> > put the proxy outside the firewall?
>
> I disagree. The proxy should go outside the firewall: Cern reached
> with a simple app gateway or via a bastion allowed IP address works
> just fine. I don't want to use socks or a whole bunch of other
> proxies for wais, gopher, http, ftp, etc.
>
>
> sdw
> - --
Well, I'll have to disagree with you here as WWW proxies can provide all
these services through one interface with locally manageable access
control lists, cascaded proxy setups and control over which services
are allowed and which are not. For the users a big win I think, one
interface and all that blah blah.
With the proxy behind the firewall you also present only 1 IP address to
the world, that of your socks proxy host. The WWW proxy is also not
directly accessible from the outside world hopefully circumventing some
potential problems with the server.
What's to stop somebody cracking your external proxy host and then
putting a less then benign proxy host on it ? Means you also have to
configure your choke IP filter with all the hosts who want to access to
the proxy if I've correctly understood your argument. Forgive me if I
haven't. But with a site in the 5 figure range, I'm not sure I'd
willingly do that.
Of course you are still vulnerable to cgi-script attacks :) and the
ubiquitous Trojan or Virus attack, but then it's never been that easy ;)
Sincerely,
Yan
___________________________________________________________________
| Bio-Routing: | Electronic Connectivity: |
| | |
| Yan-Fa LI (CNS-BBN CSS) | Phone: +49 - 7031 14 1412 |
| Hewlett-Packard GmbH | Fax: +49 - 7031-14 1554 |
| Herrenberger Strasse 130 | Telnet: 778 - 1412 |
| D-71034 Boeblingen | Email: yanfali @
hpbbi30 .
bbn .
hp .
com |
| Germany | Yan-Fa_Li @
HP-Germany-om1 .
om .
hp .
com|
|____________________________|______________________________________|
My views do not necessarily represent those of the Hewlett Packard
Company and should be taken with a large dose of salt or whatever
passes for sodium in your neck of the woods/universe/continuum/etc...
___________________________________________________________________
|
|
