Solved

Proxy without scanning content

Posted on 2014-04-01
5
395 Views
Last Modified: 2014-04-02
I have read some excellent posts and have learned a lot, but have to ask one last question on this subject

If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 167 total points
ID: 39971914
Do you use it to cache content and therefore reduce the load on your WAN / Internet circuits?

Do you ever, or will you ever, need to refer to the logs? That depends a little on what the proxy does for you, but if you have hundreds of clients connecting through you will application-layer logs available to you. A traditional firewall, working up to layer 4 (Ports), would not be able to provide that for you.

I'm struggling to think of more reasons it might be useful beyond those :)

Chris
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
ID: 39971961
The DMZ is a zone, segregated from other parts of the network, you would use a proxy to keep that zone more intact. If the DMZ is able to communicate to all other networks it's not very DMZ like, so port-forwarding, nat'ing may not be what you want. A proxy used to take traffic from the DMZ to the internet or from the internet to the DMZ allows the border of the DMZ to remain, A reverse proxy is probably the correct term: http://en.wikipedia.org/wiki/DMZ_%28computing%29#Services_in_the_DMZ
-rich
0
 
LVL 63

Assisted Solution

by:btan
btan earned 166 total points
ID: 39972045
Thinking wider on the context of this question I tend to see scanning content has nothing to do with port forwarding.

It is just like saying "I trust this visitor is legit since it pass my country custom check, I will just let it through to my premise for a stay overnight or probably longer."

By default, I will not trust and there is not foolproof checks (more so if I am reading all the recent incident and case in the news). There is always the principle of "trust but verify" or simply "No trust unless proven otherwise". I do not want to delve into the technical aspect hence just touching the principle :) ... of a security mindset

(I may be just too conservative and have a pretty low risk appetite - if you have those device in chain of the traffic - why waste the $$ deploying them without maximising their contribution)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39972077
nm
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39972396
If I have a proxy within the DMZ, and I do not scan for content, check for viruses, etc, and I do nothing to the content or block access based upon content, I might as well use port forwarding

Is this correct

As the other experts suggest, it's not such a straight forward answer/decision.

Using an internal proxy like you're using is pretty much just packet forwarding so yes, it is similar to port forwarding.

Port forwarding however does not offer the same services as a proxy server.

So while we may be answering your question correctly...we do worry that you may not be asking the right question. This is where the articles become a little meaningless.

Don't forget there are many different types of proxy servers
http://en.wikipedia.org/wiki/Proxy_server

Question: Is your proxy only servicing clients on your internal network or do you have users coming in from the WWW who also need to access your proxy?

By using port forwarding only, you could be exposing your servers which would have been obfuscated by the proxy server so the backend services would have limited exposure to the Internet.

The big question is: What is your objective here? What do you want to achieve?

Do you want to: Remove an "unnecessary" server or get an understanding of the concepts? Or other?
0

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question