Re: Stupid Question - Proxy Internals

[Simon Murcott <simon@murcott.net>]

On Thu, 2002-03-07 at 11:06, Josh Frick wrote:

    Thank you.  That's what I had suspected.  NAT is NAT,  right?  I'm 
    trying to build a multi-layered approach.  Currenlty it's two Coyote 
    (IPchains)  Firewalls in front of Squid/Socks.  This does prevent direct 
    connections to my clients,  which I had assumed was more secure than 
    otherwise,  but I wasn't sure if that was meaningful.  My clients and 
    the Squid/Socks box are not reachable by the gateway.  Only the choke,  
    which will be reconfigured (by way of a crossover-cable)  to be 
    connected only to the Squid/Socks box.  I just wanted to know if this 
    was any better than simply adding a third IPchains box.

Something to be aware of is that having two firewalls of the same
flavour will not buy you any more security. If a crack/exploit works on
one then it will work on the other. Try replacing one of them with
another OS and firewall solution.

Adding a third ipchains box will give you as much protection as adding a
piece of wire.

Where a proxy is extremely useful is being able to inspect (and correct
or reject) the data it receives before it gives it to the client
machine. That is you can plug a virus scanner into squid, remove active
x, etc.
-- 

Regards

Simon