[ale] Proxy Servers and Firewalls

Joseph A. Knapka jknapka at earthlink.net
Thu Jun 21 03:10:10 EDT 2001 

Leonard Thornton wrote:
> 
> My understanding of proxies and firewalls is that they are for two separate
> purposes.
> 
> A firewall protects your internal network from access by individuals on the
> external network by filtering, translating and redirecting each packet passing
> through it.
> 
> A proxy is a connection point for people on your internal network to connect to
> to access common functions on the external LAN. (i.e. Web proxy).
> 
> The firewall mainly limits traffic entering your network.  The proxy limits the
> access of people in your network to the outside world.  Therefore, you would
> use the firewall to protect your internal network from evil hacks out in the
> real world, while you would use a proxy to keep your own people from going
> places or doing things from your internal network to the outside.  A well
> balanced network is usually some combination of the two.
> 
> My humble understanding of the subject.......YMMV

Good points all. Some more things to think about:

A proxy can provide a local cache for frequently-
accessed data outside the local net, which can
significantly reduce external traffic, if that's important
for you.

Packet-filtering (eg NAT, etc) firewalls generally
don't require any special configuration on the clients
and are a (IMO) lot less likely to annoy or
confuse users.

A proxy can be quite a bit more intelligent about
analyzing the data streams than a packet filter can,
since it gets to see the entire exchange beween
client and server in meaningful chunks, whereas a
packet filter only sees a packet at a time. For
example, an HTTP proxy might have on-the-fly virus
checking filters in place.

Given something like the Netfilter architecture in
the 2.4 kernels, you could have the best of both
worlds: run a packet-filtering firewall that passes
packets out to a user-mode daemon or custom kernel
module (currently vaporware :) that does whatever
kind of additional processing you want - virus
checking or whatever.

-- Joe
 
> On Wed, 20 Jun 2001, Jeff Hubbs wrote:
> > I know that proxy servers and firewalls (with or without NAT) are common
> > means of connecting a LAN to the Internet.  I seek a cross-platform take
> > on which to use under what circumstances.  Specifically, under what
> > circumstances is it highly desireable to use a proxy server instead of a
> > firewall, and under what circumstances is it highly UNdesireable?
> >
> > - Jeff
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> --
> The difficult while you wait ... The impossible overnight ...
> 
> Leonard Thornton
> Intelis, Inc
> leonard at intelis-inc.net
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

-- Joseph A. Knapka
"You know how many remote castles there are along the gorges? You
 can't MOVE for remote castles!" -- Lu Tze re. Uberwald
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
* Evolution is an "unproven theory" in the same sense that gravity is. *
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list