Re: Proxy advantage

[Kevin Kadow <kkadow () gmail com>]

Does this only apply to an explicit proxy server?   Does anybody deploy a
transparent proxy server and not pass DNS down to the client?

Can you call it a "best practice" when it is impossible to maintain in a
large diverse network?  Aside from applications which are just not proxy
aware, even when the application correctly uses OS proxy settings for
HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external
names; result is an unmanageably large whitelist for DNS lookups.

Same goes with "not advertising a default route" or restricting default
route HTTP/HTTPS with ACLs.  Great idea, but one which quickly becomes
difficult to manage on a large scale network.  Once you have any
unproxyable applications needing connectivity to Akamai or a similar CDN,
these controls are usually abandoned as unmaintainable.

Kevin Kadow

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards