| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 4444.1 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Mon Feb 03 1997 13:43 | 3 |
| It can't be done. It can't chain.
Danny
|
| 4444.2 | Grrrrrr | OGBON::gambit.shl.dec.com::THOMPSONS | All is not good in the world | Tue Feb 04 1997 00:02 | 5 |
| Stupid Microsoft :-(
Spend a couple of hours finding this out
|
| 4444.3 | | BBRDGE::LOVELL | � l'eau; c'est l'heure | Tue Feb 04 1997 03:34 | 15 |
| As far as I understand MS's approach - their proxy server *is* the
firewall. i.e. they seem to be responding to the segment of the market
that requires simple "application relays" to bridge Intranet to
Internet. I am trying to find out what their commercial approach is
to providing a packet screening firewall but so far I have drawn a
blank.
Now, I know Steve et al are no novices to firewalls (and proxy servers)
so my question is - why are you looking at the MS caching proxy server?
Why don't you implement this functionality on your own existing
firewall? Perhaps it's a customer issue or just personal interest but
either way I'd be interested to know what makes you look at the current
MS product.
/Chris/
|
| 4444.4 | MS Proxy Server + AV Firewall | VAXRIO::VENTRIGLIA | | Tue Feb 04 1997 06:44 | 19 |
| In fact, MS says the proxy server is not a firewall indeed, once it
differs from them in several features (no alerting, no VPNs, etc.).
The thing is AV Firewall for NT has some limitations. Due
to these limitations (cache configuration and user authentication
features) I want to use the MS Proxy Server.
The first goal is to place the Proxy Server inside the Firewall (secure
net) provinding only caching. After this, I will consider using it for
internal users authentication once my clients do not want to purchase
any HHA stuff.
I am still having problems pointing the MS proxy server to the
firewall. Any suggestions?
Thanks again.
|
| 4444.5 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Tue Feb 04 1997 08:52 | 7 |
| > The thing is AV Firewall for NT has some limitations. Due
The AV Firewall uses the Proxy portions of Purveyor, so anything that
Purveyor can/cannot do, apply to the AV Firewall Proxy server. Read the
Purveyor documentation for details.
Danny
|
| 4444.6 | My 2 cents | PSCESP::LUIS | Luis Gonz�lez - S.I. Madrid | Tue Feb 04 1997 09:20 | 33 |
| > Now, I know Steve et al are no novices to firewalls (and proxy servers)
> so my question is - why are you looking at the MS caching proxy server?
> Why don't you implement this functionality on your own existing
> firewall? Perhaps it's a customer issue or just personal interest but
> either way I'd be interested to know what makes you look at the current
> MS product.
>
I am not the adressee of the question, but I would like to say something about
the subject.
Digital Spain was formally invited by Microsoft to deliver a presentation about
our Altavista offering and our Systems Integration capabilities at the Proxy
Server launch event. They were extremely positive about us, lots of "let's go
together" messages and so on.
They presented their Proxy Server as a low-cost "firewall-like" system, with
some implied references to possible configurations in which they would coexist
with a "real-but-expensive" corporate firewall.
I found the product pretty basic, but including some interesting
functionalities that our products don't include, or are a bit primitive, such
as per-user administration and supervision of Web access (www.playboy.com and
all that stuff), good and easy-to-use reporting capabilities, and also good and
easy-to-use caching. They focus more in avoiding that *your* people waste time
in the Internet rather than avoiding hacker attacks (and my feeling is that
this message has a also a *big* market).
I think that if there was a way to link MS Proxy to our firewalls, that
could be an interesting base for creating Internet security solutions for lots
of medium or big corporations
Luis
|
| 4444.7 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Tue Feb 04 1997 10:16 | 10 |
| > I think that if there was a way to link MS Proxy to our firewalls, that
> could be an interesting base for creating Internet security solutions for lots
> of medium or big corporations
MS Proxy would have to support chaining to get anyone in the firewall
business really interested. The rest is irrelevant if you don't have that.
While the NT AV Firewall would be interested in other proxy solutions, you'd
have to have that first.
Danny
|
| 4444.8 | the KISS principle | BBRDGE::LOVELL | � l'eau; c'est l'heure | Tue Feb 04 1997 15:57 | 22 |
| Seem's to me that Luis' reply in .6 has confirmed what I was suspecting
i.e. Microsoft are bidding their Proxy Server to the "keep it simple"
segment of the market (a huge portion) and when they get any push back
about a "full Internet security solution" they are happy to hand the
rather ugly baby to a SI type of sales organization who know how to
handle the complexities of real firewalls and multi-protocols.
Re Danny's comment : What would prevent a customer to start with a MS
Web proxy server as his "firewall" and then, when challenged on security
issues, he implements an AV firewall in front of the proxy server with
a simple TCP-relay across the AV firewall to the MS proxy server now on
the blue net.
Obviously it's a bit contrived but my point is that MS will probably be
laughing all the way to the bank 'cos they are going to ensure that
they get first shot at the revenue with a cheap and cheerful and easy
to use Web proxy server. Where http is becoming the all-purpose
application protocol, many small to medium sized customers won't even
consider anything more than a simple http proxy as their Internet/Intranet
barrier.
/Chris/
|
| 4444.9 | | TENNIS::KAM | AltaVista Software 714/261-4133 DTN 535.4133 | Wed Feb 05 1997 19:15 | 11 |
| LAN Magazine March 1997 pg. Proxy Servers Stand Guard
This article compares both the Netscape and Microsoft Proxie Servers.
Basically, the architecture described in .0 is the suggested
configuration for the Proxy Server connections. It doesn't go into
detail how to do it but that's the recommendation.
If you figure this out I'm interested. WE have a similar requirement
here.
Regards,
|
| 4444.10 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Thu Feb 06 1997 09:07 | 6 |
| > If you figure this out I'm interested. WE have a similar requirement
> here.
You lost me as to what you want to have figured out.
Danny
|
| 4444.11 | | TENNIS::KAM | AltaVista Software 714/261-4133 DTN 535.4133 | Mon Feb 10 1997 02:03 | 17 |
| re .10
It appears, if I read them correctly, that someone is attempting to
configure the MS Proxy with the AltaVista Firewall and it's been
indicated that it can't be done?
According to some articles that I've read, they didn't say what
firewalls in particular, that the MS and Netscape Proxy servers are
supported behind the firewall. And that this is the recommended
configuration e.g., a Firewall and Proxy Server for both Security and
increased performance.
If so, we're interested to see if anyone has done this. We have a
couple of customers that are evaluating the AV Firewall and are hinting
at using either the MS or Netscape proxy servers.
Regards,
|
| 4444.12 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Mon Feb 10 1997 17:24 | 5 |
| Digital Firewalls come with Proxy servers, you don't need additional
ones on the firewall. If you want to chain to the firewall proxy server, then
you need one that will chain. MS Proxy server does not chain.
Danny
|
| 4444.13 | | TENNIS::KAM | AltaVista Software 714/261-4133 DTN 535.4133 | Mon Feb 10 1997 21:42 | 7 |
| Thanks. That clarifies that. Do you know if Netscape's Proxy Server
chains?
Is there an upper-limit for the cache? Can I allocate a 4 GB drive?
Regards,
|
| 4444.14 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Tue Feb 11 1997 09:26 | 12 |
| > Thanks. That clarifies that. Do you know if Netscape's Proxy Server
> chains?
>
The Unix version does chain as does Purveyor. I don't know about
Netscapes Intel Proxy Server as that was a buyout.
> Is there an upper-limit for the cache? Can I allocate a 4 GB drive?
For the Proxy server? As long as there's disk space it should be able
to cache, at least for the proxy servers that I've encountered.
Danny
|