[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] MIME-Version: 1.0


hello Firewallers,

I'm considering a solution like this:

             squid
               |
<--internet--[fw1]--intranet---

and here come some thoughts of mine:

1. Why in DMZ :
- gives additional point of logging
- its as secure as the rest of stuff in DMZ
- can be a DNS backup (when primary ext. fails)

a drawback: probably add some load to the firewall traffic.
logs might give only a vague clue about what users are looking for on the internet as they, once authenticated, are(must be) NAT'ed to some specific address (IP range?), so I can find myself pretty stuck with the same IPs along with the same time stamps going to different URLs.. 

2. Why not on the intranet side:
- If I have http/ftp authentication turned on, does putting a squid inside kind of overlap it? (i'm not sure) 

3. Why not externally: insufficient capability to screen the box outside right now.

Questions:
- does it need a primary cache it does the updates from?
  (i'd rather not want to do a chain)
- Do I need to do changes in Properties Setup -> Security Policy?
 
greetings
Dominik M Miklaszewski
__________________
mikey@iowalink.com



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================