Re: [SQU] pix firewall and squid from Merton Campbell Crockett on 2000-12-08 (squid-users)

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Fri, 8 Dec 2000 10:56:05 -0800 (PST)

On Fri, 8 Dec 2000, Juri Haberland wrote:

> Cardinal Christopher wrote:
> >
> > We are using Netscape Proxy and are thinking of moving to Squid. We are also
> > moving from Raptor Firewall to PIX. Q: Is it better to have an internal
> > Proxy and an external proxy talk through the PIX firewall, rather than one
> > internal Proxy send all requests to the Internet from the PIX firewall? Any
> > pros and cons? Thanks.
>
> Well, having only an internal proxy makes the rules on the firewall more
> complicate (e.g. not only port 80, but also port 8080, 443, in general:
> people aren't limited on which port they want their web servers to run)
> With an external proxy you only have to configure to ports on your FW
> and that's it. But, then you have to protect your external proxy or
> tighten the configuration very good.
>
> Make your choice...

There are other options. At the sites that I support, I find that its
undesirable to proxy Web activity through a general-purpose firewall. Web
activity tends to be personal rather than work related. The volume of Web
activity has a tremendous impact on the ability to conduct business.

To support personal and business use of the Web, I use a dedicated purpose
firewall to provide the functionality. I use a BSD/OS system with internal
and external interfaces as the basis for the firewall. The only services
that it runs are BIND (named) and Squid.

The Squid Proxy Server is configured to only accept incoming connections
from the internal interface. Last month, Squid delivered over 24 TB of data
to internal systems. This was a bit out of the ordinary resulting from a
bug in an application being developed to retrieve data from the Internet.

The good news was that with the dedicated-function firewall, normal work
activities were not impacted.

The bad news was that with the dedicated-function firewall, the bug went
undetected for a week. (The developer left the application running when he
went on vacation.)

The better news was that the majority of the data being retrieved was
cacheable.

Merton Campbell Crockett

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Fri Dec 08 2000 - 11:59:49 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:53 MST