mailing list archives
Re: Proxy advantage
From: Kevin Kadow <kkadow () gmail com>
Date: Tue, 16 Apr 2013 10:13:51 -0400
Does this only apply to an explicit proxy server? Does anybody deploy a
transparent proxy server and not pass DNS down to the client?
Can you call it a "best practice" when it is impossible to maintain in a
large diverse network? Aside from applications which are just not proxy
aware, even when the application correctly uses OS proxy settings for
HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external
names; result is an unmanageably large whitelist for DNS lookups.
Same goes with "not advertising a default route" or restricting default
route HTTP/HTTPS with ACLs. Great idea, but one which quickly becomes
difficult to manage on a large scale network. Once you have any
unproxyable applications needing connectivity to Akamai or a similar CDN,
these controls are usually abandoned as unmaintainable.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com