• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

Should I place my Web Proxy behind or in front of my firewall?

We are getting ready to implement a new BlueCoat SG-250 web proxy appliance on our network, but I'm not sure of the best place to put it in relation to my firewall.  One of the network admins in my shop thinks that we should connect it to an additional interface on our perimeter router which is just in front of the firewall.  We can then configure WCCP on the router to pass web traffic to the proxy and eliminate an "inline" configuration that would cause users not to be able to surf the net in case the proxy was down.

However, we can accomplish the same with the Cisco ASA firewall that we have in place that supports WCCP as well.  My thinking is that we can connect it to one of the DMZ interfaces and use WCCP to accomplish the same thing.

Another one of network admins in the shop suggested connecting it to the core switch and using WCCP there, with the idea that you can eliminate a lot of traffic hitting the perimeter router and firewall.

Any opinions as the best and most secure way of implementing a proxy in this environment?

1 Solution
Connecting it to the outside interface is not a good idea. If it has a vulnerability then in theory an attacker can redirect people or serve up malware.

I would say putting it on the internal interface is the best approach. It only makes outbound connections so the DMZ is not the perfect place for it unless it will be the only device in that DMZ. As you can use WCCP on the core switch that seems the ideal solution.
jmoney68Author Commented:

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now