> Why not run the proxy on the wall?
> 1) most proxies have holes large enough for your delivery trucks to drive
> through in terms of access privs, etc. etc. Do you want large, monolithic
> programs running on the firewall? No.
But they are less a security risk than the services they proxy for. I'd
much rather have a proxy service I can code review, recompile, instrument,
debug, log and KILL, than a bunch of well meaning users who import ALL sorts
of things (IRC?!?!?!), fill up filesystems, break things, demand root
Proxies may not be entirely safe, but they are MUCH more manageable than
the users they replace.
> 2) processor gets eaten up by the proxy server. big, complex program=
> big, complex cpu usage.
Processors get eaten up by users, to a larger degree than the corresponding
user load. Think about it, a proxy is only going to the handle the
the control and data for the service, it isn't going to handle the shell
processing the terminal interrupt processing, the disk io processing, and
on and on and on...
Oh, by the way, who says that proxies are big monolithic porgrams???
> 3) firewall is a choke point, not a common access point. One is
> providing a service, the other security. COmpartmentalization means that
> weaknesses in one will have a minimal impact on the other.
Hmm. I do believe that a firewall is a choke point BECAUSE it is the
common access point to the internet. The philosophy of a firewall
(not to start THAT discusion up again) [to steal from the LA Police
department] is to protect and serve, in that order.
> 4) You don't have to run the server on the wall. It supports socks.
> Socks was designed to run on a firewall and provide the requisite service
> (security, address masking, validation, etc.). Proxy servers were
> designed to serve documents.
Okay, I'll nit pick. What is the difference between a proxy and socks?
Is not the purpose of both to provide a tunnel through the firewall for
a well defined protocol such that the firewal does not appear in the
> 5) Configuration, based on changes in your network, of the proxy mean
> that the system should be easily accessable to make those changes. A
> firewall should not be changed at the same rate or for the same trivial
I don't understand this, but that may be because I missed the leading
article on this.
> 6) It is easier.
Easier than what? See above.
John G. Thompson jgt10 @
Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470
[The opinions expressed are MINE. They do not necessarily reflect the
policies, procedures, press releases or opionions of the Amdahl Corporation.]