Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: HTTP Proxy placement

HTTP Proxy placement 8 years 9 months ago #25353

  • Chojin
  • Chojin's Avatar
  • Offline
  • Senior Member
  • Posts: 251
  • Karma: 0
What is the best place to place your web-proxy server and why?

At the moment we have a Firewall with a webproxy server, but we are going to distingiush these from eachother, so in the new Scenario we have a Firewall and a separate web-proxy

Is it best to place the web-proxy server on a DMZ?
is it best to place it on the internal side?
External side?

and most important.. why?

thanks for the time invested already :)
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
The administrator has disabled public write access.

Re: HTTP Proxy placement 8 years 9 months ago #25355

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
On a DMZ.
Because
a) you don't want it external as you make it an easy target
b) you don't want it on your internal network as if it does get compromised it has easy access to the rest of your infrastructure
c) if you put it in a DMZ you have the opportunity to tie down the traffic permitted from the outside to the proxy server (i.e. just the stuff you want to proxy, block the rest) and from the proxy back through the firewall to the hosting server(s). Ideally these would be on a second, separate DMZ as well
The administrator has disabled public write access.

Re: HTTP Proxy placement 8 years 9 months ago #25356

  • Chojin
  • Chojin's Avatar
  • Offline
  • Senior Member
  • Posts: 251
  • Karma: 0
External is indeed the last option you would like to consider...

For Internal and DMZ I am still doubting,

If I Place my WebProxy on the DMZ my Firewall will receive a double ammount of HTTP traffic right?
I am not fully aware how many traffic we generate by browsing.

Isn't it safe enough to allow port 80 for the webproxy to go outside and no-one else? If so it would result in a 50% less HTTP traffic crossing the firewall.

Thanks in advance.
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
The administrator has disabled public write access.

Re: HTTP Proxy placement 8 years 9 months ago #25364

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Yes you could put the proxy on the internal network and reduce the traffic across the firewall by 50%. But any decent firewall should be able to handle that extra 50% with ease, and that's what firewalls are for - to give you the protection you need. Unless your user base is huge you're not talking about a lot of traffic
The administrator has disabled public write access.

Re: HTTP Proxy placement 8 years 9 months ago #25365

  • Chojin
  • Chojin's Avatar
  • Offline
  • Senior Member
  • Posts: 251
  • Karma: 0
I guess it is a choice based on money, security and performance...

As you said, firewall should be more then able to have this load.. Thanks for your point of view on this one.

Next step will be deciding which webproxy to place :-).
Thinking about a Bluecoat SG810
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
The administrator has disabled public write access.
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup