RE: Proxy & Firewall Implementation

["Conlan Adams" <conlan () mebtc org>]

If they want to implement a proxy server, with the intent of keeping an
eye on or restricting traffic, what works well is to put it on the main
network behind the firewall, and allow only port 80 and 443 traffic to
go through the firewall from that machine.  That way if anyone tries to
remove the proxy settings they cant get out.

Another suggestion on the firewall front, check out the watchguard
products, if it's a decent size network (50-100 users or more) they are
a very nice option.

The reason some folks put all of their externally available servers
outside the network in a dmz, is to protect the rest of the network
incase something gets compromised.  There are good and bad things to
that.  Another option, is put a mail relay in the dmz, do the spam and
virus sifting on that machine then have it forward into the internal
network for speed of access.

Good luck

Conlan Adams


-----Original Message-----
From: John [mailto:naverxp () yahoo com sg] 
Sent: Wednesday, January 12, 2005 8:04 PM
To: security-basics () securityfocus com
Subject: Proxy & Firewall Implementation

Hi

I'm a fresh graduate in System Administrator field. Recently, with much 
of luck, i was recommended to a company to implement a firewall system 
to their network infrastructure. I hope to pick some experience from 
this forum as to how people in here might consider different 
circumstances when placing their proxy server inside a protected network

(behind the firwall) or before the firewall. Would i need two firewalls?

(i'm considering the Cisco FW, and CyberGuard FW).

During my research, i found a documentation written by a blackhat whom 
suggested to allocate DMZ most of my services (httpd, mail, etc) outside

the internal network and make redundancies everynight. My 2nd question, 
why did he suggested that? why expose my services outside the network 
where my information are Live and exposed to the risk of being
compromised.

John