Internal roots and Internet access ?
Seifert, Reinhold (EDP Sys.)
Seifert at seeg.sharp-eu.com
Mon Mar 25 16:26:59 UTC 2002
> -----Original Message-----
> From: Simon Waters [mailto:Simon at wretched.demon.co.uk]
> Sent: Saturday, March 23, 2002 2:36 PM
> Subject: Re: Internal roots and Internet access ?
>
>
>
> "Seifert, Reinhold (EDP Sys.)" wrote:
> >
> > Now we are going to replace our proxying firewall by
> packet-filtering
> > firewalls.
>
Simon> > And they call it progress ;(
Indeed. "They" said (e.g.) a packet-filter is much faster than a proxy...
But your comment suggests you could elaborate on some pro/cons of
packet filter vs. appl proxy, presumably based on own experience?
I would appreciate very much.
>
> > This introduces the need that at least part of the internal
> clients will be
> > able to resolve Internet names.
>
Simon> > Deploy a web proxy in the DMZ of the firewall sounds like a good
Simon> > plan to me ;)
Great idea. So far, I did not consider a Web proxy in the DMZ (sure, we have
Intranet proxies). Would you put it in the DMZ for security reasons, I
mean, would
you recommend that even when we only allow outbound http traffic. There
will *never*
be inbound (to the internal net) http traffic.
Yes, I will certainly deploy http and ftp proxies. But what do I do with all
these "generic"
TCP/UDP proxies (dedicated services & various ports) I currently use on the
firewall.
For instance, I need a TCP proxy listening on (say) port 4711 that connects
to
port 5712 on some host in the internet. This proxy should be able to handle
50+
simultaneous client connections. Any suggestions?
Simon> >
Simon> > If the firewall can't proxy, you can at least do the decent
Simon> > thing, and deploy servers that can help enforce the security
Simon> > policy.
I thought the firewall will do that for me. Do I miss something?
Simon> > That said if you already have 5+ different DNS server types,
Simon> > perhaps it is time to redo the DNS anyway.
Yes. That's why I subscribed to the list ;-)
More information about the bind-users
mailing list