Solved

Proxy without scanning content

Posted on 2014-04-01
5
372 Views
Last Modified: 2014-04-02
I have read some excellent posts and have learned a lot, but have to ask one last question on this subject

If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct
0
Comment
Question by:Anthony Lucia
5 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 167 total points
ID: 39971914
Do you use it to cache content and therefore reduce the load on your WAN / Internet circuits?

Do you ever, or will you ever, need to refer to the logs? That depends a little on what the proxy does for you, but if you have hundreds of clients connecting through you will application-layer logs available to you. A traditional firewall, working up to layer 4 (Ports), would not be able to provide that for you.

I'm struggling to think of more reasons it might be useful beyond those :)

Chris
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
ID: 39971961
The DMZ is a zone, segregated from other parts of the network, you would use a proxy to keep that zone more intact. If the DMZ is able to communicate to all other networks it's not very DMZ like, so port-forwarding, nat'ing may not be what you want. A proxy used to take traffic from the DMZ to the internet or from the internet to the DMZ allows the border of the DMZ to remain, A reverse proxy is probably the correct term: http://en.wikipedia.org/wiki/DMZ_%28computing%29#Services_in_the_DMZ
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 166 total points
ID: 39972045
Thinking wider on the context of this question I tend to see scanning content has nothing to do with port forwarding.

It is just like saying "I trust this visitor is legit since it pass my country custom check, I will just let it through to my premise for a stay overnight or probably longer."

By default, I will not trust and there is not foolproof checks (more so if I am reading all the recent incident and case in the news). There is always the principle of "trust but verify" or simply "No trust unless proven otherwise". I do not want to delve into the technical aspect hence just touching the principle :) ... of a security mindset

(I may be just too conservative and have a pretty low risk appetite - if you have those device in chain of the traffic - why waste the $$ deploying them without maximising their contribution)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39972077
nm
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39972396
If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct

As the other experts suggest, it's not such a straight forward answer/decision.

Using an internal proxy like you're using is pretty much just packet forwarding so yes, it is similar to port forwarding.

Port forwarding however does not offer the same services as a proxy server.

So while we may be answering your question correctly...we do worry that you may not be asking the right question. This is where the articles become a little meaningless.

Don't forget there are many different types of proxy servers
http://en.wikipedia.org/wiki/Proxy_server

Question: Is your proxy only servicing clients on your internal network or do you have users coming in from the WWW who also need to access your proxy?

By using port forwarding only, you could be exposing your servers which would have been obfuscated by the proxy server so the backend services would have limited exposure to the Internet.

The big question is: What is your objective here? What do you want to achieve?

Do you want to: Remove an "unnecessary" server or get an understanding of the concepts? Or other?
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now