Manualshelf

Installation guide

ManualsBrandsCyberGuard ManualsComputer equipmentSG570
11121314151617181920
17
Advantages of proxy type firewalls
Protection against malformed packets.
Protection against more protocol based attacks than stateful inspecting packet filters can
provide.
More granular control over which protocols will traverse the networks.
Disadvantages of proxy type firewalls
Rather complex – needs more powerful hardware and therefore generates more heat and is
more prone to technical faults.
Due to complexity of the software, is more likely to contain programming errors (‘bugs’).
A specialised proxy is needed for every single protocol – you may need custom written
software to proxy some of the networking applications you use.
Examples
Tinyproxy, Squid, Exim, Sendmail, Smtpfwdd.
Full-blown application proxies exceed the scope of this tutorial. Organisations that are active enough on the
Internet to need them should employ professionals who are fully experienced in this field.
Compromise solution
However, there is a simple compromise where you can gain some of the benefits of full blown application
proxies in a perimeter network, through a little extra work (plus an extra network interface and one extra
dedicated computer):
A single computer is connected via a separate network interface using a separate address
range.
This computer hosts a small number of applications (like web server and email server) that
are allowed to communicate with the public Internet without putting the private network at
risk.
A separate ‘perimeter network’ or Demilitarised Zone (DMZ?) is very useful for practices that
want to provide email and web services, accessible from the public Internet, without having
to outsource these services.
In the analogy to the practice phone system – a person rings to discuss a test result with Dr X. Instead of
disturbing the doctor (and risking discussion about other unrelated issues with that patient), the receptionist
puts the caller through to the practice nurse who knows all about the results, but has no details about any
other matters. Thus, even if the caller is an impostor, they will not gain any additional knowledge about a
patient’s confidential records other than perhaps the test results.