Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Proxy advantage
From: Kevin Kadow <kkadow () gmail com>
Date: Tue, 16 Apr 2013 10:13:51 -0400

Does this only apply to an explicit proxy server?   Does anybody deploy a
transparent proxy server and not pass DNS down to the client?

Can you call it a "best practice" when it is impossible to maintain in a
large diverse network?  Aside from applications which are just not proxy
aware, even when the application correctly uses OS proxy settings for
HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external
names; result is an unmanageably large whitelist for DNS lookups.

Same goes with "not advertising a default route" or restricting default
route HTTP/HTTPS with ACLs.  Great idea, but one which quickly becomes
difficult to manage on a large scale network.  Once you have any
unproxyable applications needing connectivity to Akamai or a similar CDN,
these controls are usually abandoned as unmaintainable.

Kevin Kadow
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]