• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 422
  • Last Modified:

Proxy without scanning content

I have read some excellent posts and have learned a lot, but have to ask one last question on this subject

If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct
0
Anthony Lucia
Asked:
Anthony Lucia
3 Solutions
 
Chris DentPowerShell DeveloperCommented:
Do you use it to cache content and therefore reduce the load on your WAN / Internet circuits?

Do you ever, or will you ever, need to refer to the logs? That depends a little on what the proxy does for you, but if you have hundreds of clients connecting through you will application-layer logs available to you. A traditional firewall, working up to layer 4 (Ports), would not be able to provide that for you.

I'm struggling to think of more reasons it might be useful beyond those :)

Chris
0
 
Rich RumbleSecurity SamuraiCommented:
The DMZ is a zone, segregated from other parts of the network, you would use a proxy to keep that zone more intact. If the DMZ is able to communicate to all other networks it's not very DMZ like, so port-forwarding, nat'ing may not be what you want. A proxy used to take traffic from the DMZ to the internet or from the internet to the DMZ allows the border of the DMZ to remain, A reverse proxy is probably the correct term: http://en.wikipedia.org/wiki/DMZ_%28computing%29#Services_in_the_DMZ
-rich
0
 
btanExec ConsultantCommented:
Thinking wider on the context of this question I tend to see scanning content has nothing to do with port forwarding.

It is just like saying "I trust this visitor is legit since it pass my country custom check, I will just let it through to my premise for a stay overnight or probably longer."

By default, I will not trust and there is not foolproof checks (more so if I am reading all the recent incident and case in the news). There is always the principle of "trust but verify" or simply "No trust unless proven otherwise". I do not want to delve into the technical aspect hence just touching the principle :) ... of a security mindset

(I may be just too conservative and have a pretty low risk appetite - if you have those device in chain of the traffic - why waste the $$ deploying them without maximising their contribution)
0
 
Rich RumbleSecurity SamuraiCommented:
nm
0
 
Leon FesterCommented:
If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct

As the other experts suggest, it's not such a straight forward answer/decision.

Using an internal proxy like you're using is pretty much just packet forwarding so yes, it is similar to port forwarding.

Port forwarding however does not offer the same services as a proxy server.

So while we may be answering your question correctly...we do worry that you may not be asking the right question. This is where the articles become a little meaningless.

Don't forget there are many different types of proxy servers
http://en.wikipedia.org/wiki/Proxy_server

Question: Is your proxy only servicing clients on your internal network or do you have users coming in from the WWW who also need to access your proxy?

By using port forwarding only, you could be exposing your servers which would have been obfuscated by the proxy server so the backend services would have limited exposure to the Internet.

The big question is: What is your objective here? What do you want to achieve?

Do you want to: Remove an "unnecessary" server or get an understanding of the concepts? Or other?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now