Re: Proxy Servers

[Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>]

> -----Mensaje original-----
> De: Larry Rogers [mailto:lrr () SEI CMU EDU] 
> In our Concepts and Trends class
> (http://www.sei.cmu.edu/products/courses/cert/concepts-trends-
> infosecurity.html)
>  I teach the concept of having a proxy server for Internet access even
if
> that
> proxy server presently has no "deny" policy. I teach that architecting
such a
> server gives the opportunity to put in a policy to address attacks and
> vulnerabilities more quickly than may otherwise be possible.
>
> Are there any of you out there doing this kind of thing?
>
> If you are, how's it going?
>
> If you aren't, could you {technically, politically}?
>
> If you tried this but abandoned the attempt, why did it fail?

It makes sense for a proxy, even without filters, effectively separates
two networks at the level where they are applied.

For example, an HTTP proxy without filters will conceal your user's IP
address, probably the browser type he/she uses and maybe some more
things. In the end, the external server will only see the proxy (even if
there are many users connecting though it) and attacks directed at the
application level (http) will hit the proxy first (they might pass
through it directly though, it depends on the attack). 

Conceptually it gives you some level of protection (not much but some).
Actually, this is the same concept behind NAT (just at a different
layer).

Having a centralized server (proxy) where Internet traffic
(http/smtp/...) goes through helps you protect you whole network by
applying rules that make immediate effect on your network in case of an
emergency. Otherwise you would net to push your policies to each
workstation.

Proxies work well here at ITESM CCM where I teach (there are many
filters in place).

Regards,
Omar Herrera

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.