Firewall Wizards mailing list archives
Query: Why bother with an application proxy over stateful packet filtering?
From: william fitzgerald <wfitzgerald () tssg org>
Date: Mon, 27 Aug 2007 15:05:16 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Experts, I am interested in knowing ore about network access control via various kinds of firewalls. I am wondering why would the be a need to web up a proxy such as a web proxy (Squid) instead of just using a stateful packet filtering firewall (iptables) only in a network? I realise SQUID provide caching but leaving that aside and focusing on the security policy aspects what advantages can it offer over a general purpose firewall? My initial research/reading in to Squid for example seems to suggest that Linux iptables can cover all of Squids functionality such as ACL via ports and ip address range, protocol type, deep packet inspection etc etc. One thing however I see squid can do is provide access control by an end-user where as iptables seems only to provide this at a host machine level. But, i see iptables has the --owner matching along with --string matching and also has a layer-7 module now. I am just trying to get a feel for why one would be used over another. Also, are web proxy's used in conjunction with firewalls or in place of a firewall. I presume a bastion style host proxy with a firewall is the usual setup: LAN --> squid proxy --> iptables ---> internet or even a multi-homed device: LAN --> [proxy and firewall] --> internet regards, Will. - -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG0tocIcwlebz1MmwRAvwOAJ93bgxR71YoQyfc8j97bNP7nM/N2gCg7Mwe uX7Oi+/dg8hZTL/iTrRFBcA= =MKS+ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Query: Why bother with an application proxy over stateful packet filtering? william fitzgerald (Aug 27)
- Re: Query: Why bother with an application proxy over stateful packet filtering? Patrick M. Hausen (Aug 27)
- Message not available
- Re: Query: Why bother with an application proxy over stateful packet filtering? william fitzgerald (Aug 27)
- Re: Query: Why bother with an application proxy over stateful packet filtering? Marcin Antkiewicz (Aug 27)