Solved

Proxy without scanning content

Posted on 2014-04-01
5
386 Views
Last Modified: 2014-04-02
I have read some excellent posts and have learned a lot, but have to ask one last question on this subject

If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct
0
Comment
Question by:Anthony Lucia
5 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 167 total points
ID: 39971914
Do you use it to cache content and therefore reduce the load on your WAN / Internet circuits?

Do you ever, or will you ever, need to refer to the logs? That depends a little on what the proxy does for you, but if you have hundreds of clients connecting through you will application-layer logs available to you. A traditional firewall, working up to layer 4 (Ports), would not be able to provide that for you.

I'm struggling to think of more reasons it might be useful beyond those :)

Chris
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
ID: 39971961
The DMZ is a zone, segregated from other parts of the network, you would use a proxy to keep that zone more intact. If the DMZ is able to communicate to all other networks it's not very DMZ like, so port-forwarding, nat'ing may not be what you want. A proxy used to take traffic from the DMZ to the internet or from the internet to the DMZ allows the border of the DMZ to remain, A reverse proxy is probably the correct term: http://en.wikipedia.org/wiki/DMZ_%28computing%29#Services_in_the_DMZ
-rich
0
 
LVL 63

Assisted Solution

by:btan
btan earned 166 total points
ID: 39972045
Thinking wider on the context of this question I tend to see scanning content has nothing to do with port forwarding.

It is just like saying "I trust this visitor is legit since it pass my country custom check, I will just let it through to my premise for a stay overnight or probably longer."

By default, I will not trust and there is not foolproof checks (more so if I am reading all the recent incident and case in the news). There is always the principle of "trust but verify" or simply "No trust unless proven otherwise". I do not want to delve into the technical aspect hence just touching the principle :) ... of a security mindset

(I may be just too conservative and have a pretty low risk appetite - if you have those device in chain of the traffic - why waste the $$ deploying them without maximising their contribution)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39972077
nm
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39972396
If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct

As the other experts suggest, it's not such a straight forward answer/decision.

Using an internal proxy like you're using is pretty much just packet forwarding so yes, it is similar to port forwarding.

Port forwarding however does not offer the same services as a proxy server.

So while we may be answering your question correctly...we do worry that you may not be asking the right question. This is where the articles become a little meaningless.

Don't forget there are many different types of proxy servers
http://en.wikipedia.org/wiki/Proxy_server

Question: Is your proxy only servicing clients on your internal network or do you have users coming in from the WWW who also need to access your proxy?

By using port forwarding only, you could be exposing your servers which would have been obfuscated by the proxy server so the backend services would have limited exposure to the Internet.

The big question is: What is your objective here? What do you want to achieve?

Do you want to: Remove an "unnecessary" server or get an understanding of the concepts? Or other?
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question