'Re: [FW1] Firewall-1 and MS Proxy Configuration'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-1
Subject:    Re: [FW1] Firewall-1 and MS Proxy Configuration
From:       karimi () ca ! ibm ! com
Date:       1999-08-31 14:54:25
[Download RAW message or body]





You can use MS Proxy as a caching server, cascade multiple Proxy servers (like a
server farm, etc) and use FW-1 to do your authentication and firewalling
services.

MS Proxy is nice, however,  whilst it allows the basic internet services (http,
ftp, telnet, etc)
through, doing anything UDP-based like streaming services-  RealAudio,
and VDOLive  you'll need to install the Winsock Proxy client (MS Proxy has 2
components-
a WebProxy Server and a Winsock Proxy Server) on all workstations to allow them
to
access the Winsock Proxy Sever.

You also have to look at performance -  where MS Proxy will suffer is if you
have a large internal
user base going through a DS-1 or higher circuit on a single NT server housing
the proxy
you are going to see problems whereas FW-1 running on an NT server is rated at
something
like 20 Mbps throughput, I doubt you will see close to that using MS Proxy.
In addtion, FW-1
can support thousands of connections,  I think the MS Proxy will start degrading
severly after
a few dozen.

This is where filtering firewalls like FW-1 have the edge.

I'm also not sure whether Microsoft supports Winsock 2.0 full compliancy yet.
Remember, as
new Internet applications are developed, you'll have to wait for support from
Microsoft.

This is where filtering firewalls like FW-1 have the edge.

Aside from that, it's a fairly nice low end proxy package.

___________________________________________
karim ismail                     managed firewall services
IGS/NS                              A82/414/33/3500 MKM
tie line:  905.316.5195    notes: karimi@ca.ibm.com


dpueschner@amadeus.net on 08/31/99 08:33:10 AM

Please respond to dpueschner@amadeus.net

To:   cbrenton@sover.net
cc:   Dean Cunningham <DeanC@wairc.govt.nz>, "'Pranadjaja'"
      <Prana@mii.metrodata.co.id>, "'fw-1-mailinglist@lists.us.checkpoint.com'"
      <fw-1-mailinglist@lists.us.checkpoint.com>
Subject:  Re: [FW1] Firewall-1 and MS Proxy Configuration






Hi,

Watching this discussion with a lot of interest as I am currently struggling
with the same subject: fw-1 and MS Proxy !!!
We have decided to place the proxy internally (not like the drawing below), and
let the proxy do the user authentication using NT domain accounts. First issue
was, which rule to configure on the firewall. I am going for:

proxy     any any log

because there are a lot of web servers using ports other than 80 and I didn't
want to configure every single port ! Apart from the proxy nobody can go out
through the firewall so the users MUST use the MS proxy. Logfile reporting is
done with Webtrends based on the proxy logs and looks very neet, because you see
where every user goes to.

Other things I am struggling with: (**** this isn't Firewall-1 related, but it
should be interesting to all the proxy users so don't start shouting please
*****)

Proxy is running with one interface only connected to the internal Lan and we
are struggeling to get WinSocks proxy working. This is required mainly for
news !

Authentication using NT domain accounts is nice, but if somebody uses netscape
browsers the userids and passwords are sent in clear text (maximum uuencoded)
over the lan :-(
I did find a plug-in at Microsoft that claims to do NT challenge response on
Netscape, haven't tested it yet, but that still doesn't save my unix/netscape
user's passwords.

If you are intested I'll keep you up-to-date on our progress....

Generally what I found very anoying is that the MS proxy is designed to work AS
A FIREWALL and not with a firewall.

Cheers
Doris




From: Chris Brenton <cbrenton@sover.net>  on 31/08/99 10:38 GMT



Please respond to cbrenton@sover.net


 To:   Dean Cunningham <DeanC@wairc.govt.nz>


 cc:   "'Pranadjaja'" <Prana@mii.metrodata.co.id>
       "'fw-1-mailinglist@lists.us.checkpoint.com'"
       <fw-1-mailinglist@lists.us.checkpoint.com>
       (bcc: Doris Pueschner/MUC/AMADEUS)



Subject:  Re: [FW1] Firewall-1 and MS Proxy Configuration





Dean Cunningham wrote:
>
> FWIW
>
> I'd punt for this,
> --------------Firewall-1---------------Router -----Internet
>                                         |
>                                   Proxy Server
>
> This is your only option if you want to use firewall as your security
> authority.

I'm not a heavy MSPII user myself, but in this config how do you get
FW-1 to speak to MSPII using SOCKS (my understanding is that you have to
use SOCKS or the proxy winsock client to access the cache as
authentication is required) and even if you do, how to you authenticate
to both FW-1 & MSPII without prompting the users twice for credentials?

Thus my Squid comment.

> Chris what hole has been blown in the firewall??

My assumption was that since they purchased MSPII they where going to
use the NT database for authentication. This would have required
punching holes for NT hash authentication, SAM replication, etc. Since
this is not the case, I stand corrected.

I'm just not sure how this config is suppose to work. Even if you can
bang out the above mentioned problems, the firewall is going to log that
all users went to the proxy server. Unless you are including the
firewall logs in the security review, you are not going to see where
users are going. Or am I missing something since its still early and I'm
working on Pepsi #1? ;)

Cheers,
Chris
--
**************************************
cbrenton@sover.net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================








================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================







================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic