[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: MS Proxy as a firewall?
From:       Chris Pugrud <ChrisP () steldyn ! com>
Date:       1997-01-30 11:19:56
[Download RAW message or body]

There are two simple sides to this.

MSP is a proxy server, not a firewall.  As a proxy server it is a fairly
good and robust proxy server and the active caching can be useful.  If
you protect the proxy server from the Internet it can do it's job very
well.

On the downside their are many issues that MS is so far mute on.

Reporting sucks.  The easiest argument to use with management is that
reports regarding what traffic is coming from whom are difficult and
painstaking to assemble.  MSP will only log client IP addresses, which
is causes lots of havoc if you use dynamic IP.  The SQL server logging
is really nice, but you're still stuck with ClientIP problem.  MS' log
conversion tool will not work with the Proxy log files.  All of this
could be solved with some custom PERL tools, don't forget to include
them in the budget.

FTP.  The http proxy in MSP does not due PASV FTP.  This may force you
to open more holes in your FW then you would like.

HTTPS.  The easiest way around the client IP problem is to force NTLM
authentication to the proxy for transparent logging of the user name.
This only works if all of your browsers are MSIE 3.01.  This also breaks
HTTPS.  MS says that they will fix it in MSIE 4.0.  You can get around
this with Basic authentication, which has the users give a login and
password when ever they hit the net.  This may fit better into your
security policy.  My management demands as much transparency as
possible.

Telnet, SMTP, NNTP, etc.  MSP only provides a HTTP proxy that supports
HTTP, HTTPS, FTP, and Gopher.  If you need to get any more through the
MSP you have to use the Winsock Proxy which requires client software.
With SMTP you must run a SMTP server on the MSP to get your mail into
the organization.  This is not a major issue because EMWAC's IMS does a
great job of playing SMTP gateway.

These are most of the major problems with MSP.  That said, I do use it
because of the low cost proxy benefits.  I hide the machine behind FW-1
to help protect it.  As for the reports I have been to busy to sit down
and learn the PERL I would need to generate good reports.  MS Proxy is
not a firewall, it's a proxy server, and actually a good one for a MS
environment.  As a firewall it leaves a lot to be desired though.

Chris

>-----Original Message-----
>From:	Mike Blaser [SMTP:Mike@scio.demon.co.uk]
>Sent:	Thursday, January 30, 1997 3:49 AM
>To:	Firewalls Mailing list
>Subject:	MS Proxy as a firewall?
>
>Some bright spark within the organisation has suggested using MS Proxy
>Server as the company's firewall solution.  I've tried to locate
>information as to why this is not such a great idea but articles
>specifically regarding this product do not appear to be readily available
>(the article in Tempest was useful in this respect but that was about
>it).  We know all the obvious points like the fact that it's not running
>on a hardened OS and its poor reporting capabilities but trying to
>explain these points to a non-security oriented management section is
>difficult.  Can anyone else think of objections to using MS Proxy in this
>manner (sooner rather than later.  I have to lay down the law this
>afternoon, so to speak).
>
>Cheers
>
>Mike
>--
>Mike Blaser  -  IT Security Analyst                 mike@scio.demon.co.uk
>Vertex Data Science Ltd                               +44 (0) 1925 236831
>TA29, Dawson House                 Comments and opinions are those of the
>Great Sankey, Warrington, UK    author and not of Vertex Data Science Ltd

[prev in list] [next in list] [prev in thread] [next in thread]