Re: Proxy advantage

["Marcus J. Ranum" <mjr () ranum com>]

Kevin Kadow wrote:
> Does this only apply to an explicit proxy server? Does anybody deploy 
> a transparent proxy server and not pass DNS down to the client?

My friend Ron Dilley wrote a passive DNS collector/logger - it's:
http://www.uberadmin.com/

Back in the day he used it as a data source into our "overwatch" system,
which is here:
http://www.ranum.com/security/computer_security/code/overwatch_final_draft.pdf

> Can you call it a "best practice" when it is impossible to maintain in 
> a large diverse network?

If your premise is that your network is impossible to secure, then it's
impossible to secure.

> Aside from applications which are just not proxy aware, even when the 
> application correctly uses OS proxy settings for HTTP/HTTPS/FTP/etc, 
> it may still rely on being able to resolve external names; result is 
> an unmanageably large whitelist for DNS lookups.

If your premise is that your network should accept 
bad/dodgy/suspicious/inappropriate
traffic then it's impossible to secure.


> Same goes with "not advertising a default route" or restricting 
> default route HTTP/HTTPS with ACLs.  Great idea, but one which quickly 
> becomes difficult to manage on a large scale network.

If your premise is that your network allows all kinds of stuff in and 
out, then
it's impossible to secure.

>   Once you have any unproxyable applications needing connectivity to 
> Akamai or a similar CDN, these controls are usually abandoned as 
> unmaintainable.

When you abandon security as "unmaintainable" don't whine when you
discover your network is insecure.

mjr.

--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenable.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards