Firewalls: Re: http proxy on firewall

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: http proxy on firewall
From:	jgt10 @ amdahl . com (John G. Thompson)
Date:	Thu, 6 Apr 1995 08:22:54 -0700 (PDT)
To:	bdboyle @ maverick . erenj . com (Bryan D. Boyle)
Cc:	firewalls-digest @ greatcircle . com
In-reply-to:	<Pine . 3 . 89 . 9504052256 . A4336-0100000 @ maverick . erenj . com> from "Bryan D. Boyle" at Apr 5, 95 10:16:00 pm

> Why not run the proxy on the wall?
> 
> 1) most proxies have holes large enough for your delivery trucks to drive 
> through in terms of access privs, etc. etc.  Do you want large, monolithic
> programs running on the firewall?  No.

But they are less a security risk than the services they proxy for.  I'd
much rather have a proxy service I can code review, recompile, instrument,
debug, log and KILL, than a bunch of well meaning users who import ALL sorts
of things (IRC?!?!?!), fill up filesystems, break things, demand root 
privilieges, etc.

Proxies may not be entirely safe, but they are MUCH more manageable than
the users they replace.  

> 2) processor gets eaten up by the proxy server.  big, complex program=
> big, complex cpu usage.

Processors get eaten up by users, to a larger degree than the corresponding
user load.  Think about it, a proxy is only going to the handle the 
the control and data for the service, it isn't going to handle the shell 
processing the terminal interrupt processing, the disk io processing, and
on and on and on...

Oh, by the way, who says that proxies are big monolithic porgrams???

> 3) firewall is a choke point, not a common access point.  One is 
> providing a service, the other security.  COmpartmentalization means that 
> weaknesses in one will have a minimal impact on the other.  

Hmm.  I do believe that a firewall is a choke point BECAUSE it is the 
common access point to the internet.  The philosophy of a firewall
(not to start THAT discusion up again) [to steal from the LA Police
department] is to protect and serve, in that order.

> 4) You don't have to run the server on the wall.  It supports socks.  
> Socks was designed to run on a firewall and provide the requisite service 
> (security, address masking, validation, etc.).  Proxy servers were 
> designed to serve documents.

Okay, I'll nit pick.  What is the difference between a proxy and socks?
Is not the purpose of both to provide a tunnel through the firewall for 
a well defined protocol such that the firewal does not appear in the 
data path?
 
> 5) Configuration, based on changes in your network, of the proxy mean 
> that the system should be easily accessable to make those changes.  A 
> firewall should not be changed at the same rate or for the same trivial 
> reasons.  

I don't understand this, but that may be because I missed the leading 
article on this.
 
> 6) It is easier.

Easier than what?  See above.

JGT
-- 
John G. Thompson    jgt10 @
 amdahl .
 com      1-408-992-2088
Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470

[The opinions expressed are MINE. They do not necessarily reflect the 
policies, procedures, press releases or opionions of the Amdahl Corporation.]

Follow-Ups:

Re: http proxy on firewall
From: "Bryan D. Boyle" <bdboyle @ maverick . erenj . com>

References:

Re: http proxy on firewall
From: "Bryan D. Boyle" <bdboyle @ maverick . erenj . com>

Indexed By Date	Previous:	Re: Registered IP vs unregistered From: Brad McCarty <mccarbc @ netcom . com>
Indexed By Date	Next:	Re: TIS and Firewall one #'s From: liperta @ obelix . htl-tex . ac . at
Indexed By Thread	Previous:	Re: http proxy on firewall From: "Bryan D. Boyle" <bdboyle @ maverick . erenj . com>
Indexed By Thread	Next:	Re: http proxy on firewall From: "Bryan D. Boyle" <bdboyle @ maverick . erenj . com>