Firewall Wizards mailing list archives

Query: Why bother with an application proxy over stateful packet filtering?

From: william fitzgerald <wfitzgerald () tssg org>
Date: Mon, 27 Aug 2007 15:05:16 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Experts,

I am interested in knowing ore about network access control via various
kinds of firewalls.

I am wondering why would the be a need to web up a proxy such as a web
proxy (Squid) instead of just using a stateful packet filtering firewall
(iptables) only in a network?

I realise SQUID provide caching but leaving that aside and focusing on
the security policy aspects what advantages can it offer over a general
purpose firewall?

My initial research/reading in to Squid for example seems to suggest
that Linux iptables can cover all of Squids functionality such as ACL
via ports and ip address range, protocol type, deep packet inspection
etc etc.

One thing however I see squid can do is provide access control by an
end-user where as iptables seems only to provide this at a host machine
level.

But, i see iptables has the --owner matching along with --string
matching and also has a layer-7 module now.

I am just trying to get a feel for why one would be used over another.

Also, are web proxy's used in conjunction with firewalls or in place of
a firewall.

I presume a bastion style host proxy with a firewall is the usual setup:

LAN --> squid proxy --> iptables ---> internet

or even a multi-homed device:

LAN --> [proxy and firewall] --> internet

regards,
Will.


- --
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG0tocIcwlebz1MmwRAvwOAJ93bgxR71YoQyfc8j97bNP7nM/N2gCg7Mwe
uX7Oi+/dg8hZTL/iTrRFBcA=
=MKS+
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Query: Why bother with an application proxy over stateful packet filtering? william fitzgerald (Aug 27)
- Re: Query: Why bother with an application proxy over stateful packet filtering? Patrick M. Hausen (Aug 27)
- Message not available
  - Re: Query: Why bother with an application proxy over stateful packet filtering? william fitzgerald (Aug 27)
    - Re: Query: Why bother with an application proxy over stateful packet filtering? K K (Aug 31)
- Re: Query: Why bother with an application proxy over stateful packet filtering? Marcin Antkiewicz (Aug 27)