Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Next Generation Security Architecture

From: John Adams <jna () retina net>
Date: Tue, 27 Feb 2001 14:28:53 -0500 (EST)

Lucent has a paper on firewalling Gigabit Ethernet between multiple
firewalls at
http://www.lucent.com/ins/library/pdf/white_papers/BRICK_WP.pdf

I think they're using the Nokia load balancers (I prefer Cisco, but Cisco
still can't loadbalance GigE)

--john

On Mon, 26 Feb 2001, Brian Ford wrote:


Ng,



What about things like the cisco
LocalDirector? Although I'm not quite sure whether that's a reverse
proxy or a tcp load balancer :-].


It's a dead product. Cisco now peddles Arrowpoint. ;-)


Buzzzz.  Sorry. Wrong answer.

We still sell LocalDirector (the load balancer) as a Enterprise 
product.  Not everyone needs multi GigE feeds and speeds of the CSS 
switches (darn!).

Regarding


AFAIK some of the commercial reverse proxies will perform authentication
on behalf of the webserver.

and

Apart from the (imho fallacious) warm fuzzy feeling that "our real
webserver is no longer exposed to direct attack from the Internet", I don't
see value in a reverse proxy


Wouldn't the addition remove some of the load from the server.  I know it 
does from mine.  I use the Cut-through proxy in the PIX to authenticate 
users looking at my server (on the Cisco intranet).

Regards,

Brian


Date: Mon, 26 Feb 2001 23:11:20 +0800
From: Ng Pheng Siong <ngps () post1 com>
To: Robert Collins <robert.collins () itdomain com au>
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Next Generation Security Architecture - TO MODERATOR 
- CORRECTED COPY

On Thu, Feb 22, 2001 at 08:20:47AM +1100, Robert Collins wrote:

From: "Ng Pheng Siong" <ngps () post1 com>

Reverse proxies break X.509 cert-based client authentication.


I don't believe there's any protocol level reason why the reverse proxy
cannot perform the X.509 certificate authentication itself. Certainly
the web server AND the reverse proxy cannot both perform that
authentication.


You're right on both counts.



AFAIK some of the commercial reverse proxies will perform authentication
on behalf of the webserver.


Then the reverse proxy is really telling the webserver "trust me" when
communicating the identity of the client.

Apart from the (imho fallacious) warm fuzzy feeling that "our real
webserver is no longer exposed to direct attack from the Internet", I don't
see value in a reverse proxy - the reverse proxies I've seen in production
simply relay stuff back and forth.



What about things like the cisco
LocalDirector? Although I'm not quite sure whether that's a reverse
proxy or a tcp load balancer :-].


It's a dead product. Cisco now peddles Arrowpoint. ;-)

--
Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



--
J. Adams                                        http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: