I have a client that has this type of infrastructure and they would like an Proxy/Web Filter in which I have decided to add a CentOS 5 box with Squid/Dansguardian/Webmin for about 150 user. Is this the correct placement for it. Would I need to make any adjustments of the Cisco router/zone based firewall if I were to place the proxy in this location? I am stuck!

It's hard to say quite where it should go there, and that topology doesn't really match anything i'd go anywhere near professionally. The "Guests" route through a windows box, and a DamnSmall router?

Anyway, generally you'd want it in a DMZ, which here I suppose would be another interface off of the 2811, either dedicated or a trunk. Generally you could put it next to your internet facing MX, as it's a reasonably equivalent device.

Acid_keypie,

I am always grateful for your advice but this is the infrastructure that I am stuck with. Can you visually give me an example? I will be filtering both subnets. Also I am having trouble understanding a proxy being in a DMZ. Why wouldnt I place the proxy between the T1 router and the 2811? Wouldnt it filter the traffic accordingly and without compromising security?

well why *would* you put it in between? you do mean in a L3 sense? actually routing all traffic through it? yuck. the diagram is a bit confusing, putting a vlan, a switch, a server and a userbase all as items on what appears to be a logical route through the network - are you routing through your mail server?? You've got "DMZ" listed in the diagram, what does that mean?

if you put the box in the subnet between the 2811 and the DSL router, then that could constitute a DMZ in itself.

Maybe this diagram is better.

I need the proxy server too filter both subnets. You had stated that the proxy server should go into a DMZ and that you would filter traffic in the DMZ. You have me really confused. Neither one of these subnets is in a DMZ. Are you saying to create a DMZ just for the proxy server and then router all LAN traffic through the DMZ through the proxy and then out to the internet?????????????????????????????

or

??????

Your client topology is ...how to say that without being too harsh... "interesting"

really...it is a nightmare...
Anyhow....

First thing i would like to know is how many interface you have to work with on the PIX....ideally you would want 3 ports to create a DMZ and put the proxy there....however it is not 100% necessary.

DMZ option

ISP
|
|
|
| DMZ
Firewall --------- Proxy
|
|
|
Internal (whatever they decide to do in there)



If you only have 2ports (in and out) go bold and put the proxy just behind the firewall...

ISP
|
|
|
|
Firewall
|
|
Proxy
|
|
Internal

The first solution with DMZ is the best as far as security monitoring etc but you need to be sure the firewall blocks all internet connection from the internal network.
but the second one is nice because you don't have to mess with the Firewall too much.

Where did a pix come from?

Gotta say those diagrams really aren't any better in any way. you need to draw a single OSI layer. Here I don't care about switches (at layer 2) i don't care about vlans, I care about routes. Hopefully rhelaine's dmz diagram makes things look simple in theory, and you can then apply that to the infrastructure you have. but you really should look to avoid routing through a proxy, it seems simpler but isn't in the long term. point the browsers explicitly at the proxy which is off to one side in the dmz, which is basically on the way out towards the net, and jobs a good un.

sorry i read cisco firewall and i didn't read the model number....oups

Apparently that thing as plenty of port so yes go with a dmz for sure putting the proxy on the internal net doesn't make much sense in that case.

As far as pointing the browser to the proxy i wouldn't do that....i would redirect the internet traffic to the proxy with the cisco and put the proxy in transparent mode. On the short term it will avoid having to go on 150 machines and change the configuration, on the long run it will avoid support call from idiots trying to bypass the proxy, and the cisco should be able to handle it pretty easily.

nope. transparent proxies are the suxx0rzz, wccp my arse. a good proxy.pac and life is very easy without any of the significant losses of a transparent proxy like no direct user authentication.

So put the proxy in the DMZ and then route both subnet to the proxy in the DMZ through the Cisco router?

well in general yes, although it's probable that you wouldn't need to adjust routing as it'd be obtained via your default routes anyway.