Re: Stupid Question - Proxy Internals
On Thu, 2002-03-07 at 11:06, Josh Frick wrote:
Thank you. That's what I had suspected. NAT is NAT, right? I'm
trying to build a multi-layered approach. Currenlty it's two Coyote
(IPchains) Firewalls in front of Squid/Socks. This does prevent direct
connections to my clients, which I had assumed was more secure than
otherwise, but I wasn't sure if that was meaningful. My clients and
the Squid/Socks box are not reachable by the gateway. Only the choke,
which will be reconfigured (by way of a crossover-cable) to be
connected only to the Squid/Socks box. I just wanted to know if this
was any better than simply adding a third IPchains box.
Something to be aware of is that having two firewalls of the same
flavour will not buy you any more security. If a crack/exploit works on
one then it will work on the other. Try replacing one of them with
another OS and firewall solution.
Adding a third ipchains box will give you as much protection as adding a
piece of wire.
Where a proxy is extremely useful is being able to inspect (and correct
or reject) the data it receives before it gives it to the client
machine. That is you can plug a virus scanner into squid, remove active
x, etc.
--
Regards
Simon
Reply to: