[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall-1 and MS Proxy Configuration

To: Dean Cunningham <DeanC@wairc.govt.nz>
Subject: RE: [FW1] Firewall-1 and MS Proxy Configuration
From: Robert Binder <rbinder@articon.de>
Date: Fri, 3 Sep 1999 13:08:21 +0200 (MEST)
Cc: 'Anchises Moraes Guimaraes de Paula' <AMoraes@americel.com.br>, "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@lists.us.checkpoint.com>

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


hi Dean,


On Thu, 2 Sep 1999, Dean Cunningham wrote:

> Date: Thu, 2 Sep 1999 13:04:11 +1200
> From: Dean Cunningham <DeanC@wairc.govt.nz>
> To: 'Anchises Moraes Guimaraes de Paula' <AMoraes@americel.com.br>
> Cc: "'fw-1-mailinglist@lists.us.checkpoint.com'"
     <fw-1-mailinglist@lists.us.checkpoint.com>
> Subject: RE: [FW1] Firewall-1 and MS Proxy Configuration
> 
> 
> Hi Anchises,
> 
> Thanks for the comments, I think both setups are just as acceptable and
> there are some secutity risks with both solutions.  
> Some thoughts on your comments inline:
> 
> 
> - all my internal users are authenticated and logged in my M$ proxy
> server
> This can be achieved via a one way NT trust with the proxy server in the
> DMZ.
> I am not sure if MS proxy has to be a DC (domain controller)or not. If
> it had to be then I would be concerned in allowing the bad guys to a
> proxy server that was a DC of your internal domain. ( I understand a
> copy of the sam is kept on a DC)

But this is a security risk, because there has to be a full netbios
connection from DMZ to the internal net. There are a lot of tools which
you can use to get any information you want through netbios. The DMZ is
defined as a special part of a security installation, where theoretically
hacker can break into. BUT its a screened net. Because of that I prefer
not to place internal informations (A PDC are a lot of internal
informations) into this network.


If you install your caching and authenticating Proxy in the Intranet,
using for example an virsuscan as next hop in the DMZ, you will route all
outbound traffic through the DMZ.  


robert

> 
> - my proxy server is protected against the bad guys over the
> internet
> Fair point, it is as secure as a DMZ proxy server, no more no less.
> 
> - my Firewall-1 does not have to handle all my HTTP traffic, just
> the ones filtered by my proxy
> Fair point, there is a load issue on the FW if you put the proxy server
> in the DMZ, but no different if you had no proxy server and the clients
> went direct. You could always put a proxy server internal and chain it
> up to the DMZ proxy if load was an issue, but an additional $
> 
> In regards to DHCP ,FW1 and lack of logging of username in FW1 logs, I
> am looking at MetaIP to resolve this for me.
> 
> cheers
> deanc
> 
> 
> -----Original Message-----
> From: Anchises Moraes Guimaraes de Paula
> [mailto:AMoraes@americel.com.br]
> Sent: Thursday, September 02, 1999 12:01 PM
> To: Dean Cunningham; 'sirving@ca.ibm.com'
> Cc: 'Pranadjaja'; 'fw-1-mailinglist@lists.us.checkpoint.com'
> Subject: RE: [FW1] Firewall-1 and MS Proxy Configuration
> 
> 
> 
> I prefer having my proxy server inside my corporate network.
> 
> By doing that I get the following advantages:
> 
> 	- all my internal users are authenticated and logged in my M$ proxy
> server
> 	- my proxy server is protected against the bad guys over the
> internet
> 	- my Firewall-1 does not have to handle all my HTTP traffic, just
> the ones filtered by my proxy
> 
> As I have a DHCP server and I do not do any authentication in my FW-1,
> if I
> try to log their internet access using my Firewall , I would get just
> their
> IP (which can change if the user keep its computer turned off enought
> time).
> Moreover, logging with a M$ proxy server I“m getting the users“
> username,
> which help us a lot.
> 
> Regards,
> 
> > Anchises  M. G. de Paula
> > AMERICEL
> > I.T. - Coordenador de Sistemas de Seguranēa
> > email: amoraes@americel.com.br
> > Fone: 061 329 6698
> > 
> >[remainder snippe for brevity]
> ***************************************************
> This e-mail is  not an  official  statement of  the
> Waikato  Regional  Council unless otherwise stated. 
> ***************************************************
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



+--------------------------------------------------------------------+
|    /\     ARTICON AG            Tel :  +49-89-94573-235  Fax: -199 |
|   / /\    Robert Binder         Mail:  rbinder@articon.de          |
|  /_/\ \   Gutenbergstr. 1                                          |
| /____\_\  D-85737 Ismaning      WWW :  http://www.articon.de/      |
+--------------------------------------------------------------------+




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] FW-1 4.0 GUI Clien
Next by Date: [FW1] [FW-1] Client Authentication with Rel.4.0
Prev by thread: RE: [FW1] Firewall-1 and MS Proxy Configuration
Next by thread: [FW1] What license do I need to manage a BaySecure module?
Index(es):
- Date
- Thread