Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

RE: Question on web proxy architecture
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 20 Feb 2006 17:06:57 -0500


-----Original Message-----
Subject: [fw-wiz] Question on web proxy architecture

issue:  we have a new web proxy and a shiny new AV server looking for a
home in our network 
of 500 users.

it will be handling the usual HTTP, IM and streaming

the current proxy architecture is 'proxy on a stick' with a single
interface handling all 
in/out connections. it seems to do ok performance wise

I'm not really concerned about performance but I would like to know what
others have 
experienced.

If performance doesn't matter, then your architecture probably won't matter.
If the AV server and the web proxy are different systems and the AV server
is supposed to perform AV scanning of web traffic (which will be via proxy
I'm sure), that will likely dictate your architecture.

For instance, can the AV proxy forward to an upstream proxy?  Does it
support ICP for caching proxies?  Are sessions on the AV proxy tied to
client IP address?  For more than a few AV proxies I've looked at, the
answer to these questions is no.

In the lamest of AV proxies, in order to get the reporting and
authentication to work and have  it work with another proxy, I've seen
configurations in which the client requests to the AV proxy via browser
settings and then the connection is handled by a second transparent proxy in
order to provide caching and content filtering.  Not pretty or
performance-friendly, but it works.


so the question is where best to place the proxy?  what are the security
implications of 
having a proxy on a stick? its still proxying is it not?

The main issue with proxy-on-a-stick is that it requires that something else
force traffic through the proxy.  This is usually as simple as configuring
your firewall to deny all outbound web traffic unless it comes from the
proxy server.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]