Proxy Server Placement and Cisco 2811 Zone Base Firewall
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Proxy Server Placement and Cisco 2811 Zone Base Firewall
I have a client that has this type of infrastructure and they would like an Proxy/Web Filter in which I have decided to add a CentOS 5 box with Squid/Dansguardian/Webmin for about 150 user. Is this the correct placement for it. Would I need to make any adjustments of the Cisco router/zone based firewall if I were to place the proxy in this location? I am stuck!
PHP Code:
T1/ISP Router | Proxy Server | | Cisco 2811 router/Firewall----------------DSL/Router | | | | | Dell Switch | | | | 3com Switch/Dell Switch VLAN 10/192.168.5.0 | | | VLAN 2/192.168.3.0 | | | MS Mail Server MS Server | | | | Web Server Guests
Last edited by metallica1973; 09-29-2008 at 11:08 AM.
It's hard to say quite where it should go there, and that topology doesn't really match anything i'd go anywhere near professionally. The "Guests" route through a windows box, and a DamnSmall router?
Anyway, generally you'd want it in a DMZ, which here I suppose would be another interface off of the 2811, either dedicated or a trunk. Generally you could put it next to your internet facing MX, as it's a reasonably equivalent device.
I am always grateful for your advice but this is the infrastructure that I am stuck with. Can you visually give me an example? I will be filtering both subnets. Also I am having trouble understanding a proxy being in a DMZ. Why wouldnt I place the proxy between the T1 router and the 2811? Wouldnt it filter the traffic accordingly and without compromising security?
PHP Code:
T1/ISP Router | | | | Cisco 2811 router/Firewall------DMZ---Web Proxy---------------DSL/Router | | | | |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dell Switch | | | | 3com Switch/Dell Switch VLAN 10/192.168.5.0 | | | VLAN 2/192.168.3.0 | | | MS Mail Server MS Server | | | | Web Server Guests
Last edited by metallica1973; 10-06-2008 at 06:45 PM.
well why *would* you put it in between? you do mean in a L3 sense? actually routing all traffic through it? yuck. the diagram is a bit confusing, putting a vlan, a switch, a server and a userbase all as items on what appears to be a logical route through the network - are you routing through your mail server?? You've got "DMZ" listed in the diagram, what does that mean?
if you put the box in the subnet between the 2811 and the DSL router, then that could constitute a DMZ in itself.
I need the proxy server too filter both subnets. You had stated that the proxy server should go into a DMZ and that you would filter traffic in the DMZ. You have me really confused. Neither one of these subnets is in a DMZ. Are you saying to create a DMZ just for the proxy server and then router all LAN traffic through the DMZ through the proxy and then out to the internet?????????????????????????????
Your client topology is ...how to say that without being too harsh... "interesting"
really...it is a nightmare...
Anyhow....
First thing i would like to know is how many interface you have to work with on the PIX....ideally you would want 3 ports to create a DMZ and put the proxy there....however it is not 100% necessary.
DMZ option
ISP
|
|
|
| DMZ
Firewall --------- Proxy
|
|
|
Internal (whatever they decide to do in there)
If you only have 2ports (in and out) go bold and put the proxy just behind the firewall...
ISP
|
|
|
|
Firewall
|
|
Proxy
|
|
Internal
The first solution with DMZ is the best as far as security monitoring etc but you need to be sure the firewall blocks all internet connection from the internal network.
but the second one is nice because you don't have to mess with the Firewall too much.
Gotta say those diagrams really aren't any better in any way. you need to draw a single OSI layer. Here I don't care about switches (at layer 2) i don't care about vlans, I care about routes. Hopefully rhelaine's dmz diagram makes things look simple in theory, and you can then apply that to the infrastructure you have. but you really should look to avoid routing through a proxy, it seems simpler but isn't in the long term. point the browsers explicitly at the proxy which is off to one side in the dmz, which is basically on the way out towards the net, and jobs a good un.
sorry i read cisco firewall and i didn't read the model number....oups
Apparently that thing as plenty of port so yes go with a dmz for sure putting the proxy on the internal net doesn't make much sense in that case.
As far as pointing the browser to the proxy i wouldn't do that....i would redirect the internet traffic to the proxy with the cisco and put the proxy in transparent mode. On the short term it will avoid having to go on 150 machines and change the configuration, on the long run it will avoid support call from idiots trying to bypass the proxy, and the cisco should be able to handle it pretty easily.
nope. transparent proxies are the suxx0rzz, wccp my arse. a good proxy.pac and life is very easy without any of the significant losses of a transparent proxy like no direct user authentication.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.