Internal roots and Internet access ?

Seifert, Reinhold (EDP Sys.) Seifert at seeg.sharp-eu.com
Mon Mar 25 16:26:59 UTC 2002



> -----Original Message-----
> From: Simon Waters [mailto:Simon at wretched.demon.co.uk]
> Sent: Saturday, March 23, 2002 2:36 PM
> Subject: Re: Internal roots and Internet access ?
> 
> 
> 
> "Seifert, Reinhold (EDP Sys.)" wrote:
> > 
> > Now we are going to replace our proxying firewall by 
> packet-filtering
> > firewalls.
> 
Simon> > And they call it progress ;(

Indeed. "They" said (e.g.)  a packet-filter is much faster than a proxy...
But your comment suggests you could elaborate on some pro/cons of
packet filter vs. appl proxy, presumably based on own experience?
I would appreciate very much.

> 
> > This introduces the need that at least part of the internal 
> clients will be
> > able to resolve Internet names.
> 
Simon> > Deploy a web proxy in the DMZ of the firewall sounds like a good
Simon> > plan to me ;)

Great idea. So far, I did not consider a Web proxy in the DMZ (sure, we have
Intranet proxies).  Would you put it in the DMZ for security reasons, I
mean, would
you recommend that even when we only allow outbound http traffic.  There
will *never*
be inbound (to the internal net) http traffic.

Yes, I will certainly deploy http and ftp proxies. But what do I do with all
these "generic" 
TCP/UDP proxies (dedicated services & various ports)  I currently use on the
firewall. 
For instance, I need a TCP proxy listening on (say) port 4711 that connects
to
port 5712 on some host in the internet. This proxy should be able to handle
50+ 
simultaneous client connections. Any suggestions?

Simon> > 
Simon> > If the firewall can't proxy, you can at least do the decent
Simon> > thing, and deploy servers that can help enforce the security
Simon> > policy.

I thought the firewall will do that for me. Do I miss something?

Simon> > That said if you already have 5+ different DNS server types,
Simon> > perhaps it is time to redo the DNS anyway.

Yes. That's why I subscribed to the list ;-)




More information about the bind-users mailing list