[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] [Re: [FW-1] HTTP security server woes on NG... frustration levelrising...]
> So what would you say are the ways in which the Security Servers should > be used? Just curious, not a loaded question or anything. I don't think they should be used all although they can make sense in small environments and as a temporary solution to (for example) a virus threat or something similar. Why would you use the HTTP security server on CheckPoint? It adds load to your firewall, results in more potentially vulnerable code that needs to be run on the firewall itself, etc. Why wouldn't you set up a dedicated web proxy to handle these connections? A dedicated web proxy is designed specifically for this sort of task. It is more efficient, keeps the load off your firewall, can do caching, is easily configured either on the client or through the use of WCCP, etc. If you want to do virus scanning or URL filtering, you can do it right on the proxy. If you use CheckPoint you will still need a seperate box. What about SMTP? There is _no_ reason to use CheckPoint as an SMTP proxy. Postfix, Exim, and qmail are extremely capable MTA's, don't cost a thing, have performance far in excess of what CheckPoint offers, are more configurable, and more scalable. Want more SMTP bandwidth? Fine, just add more relays. Want anti-virus? Fine, just use MimeSweeper as your relay. Considering the way SMTP is handled in DNS, there is no reason fo rthe firewall to become involved with this sort of traffic. A good question to ask yourself is: Why _should_ I use the security server not why shouldn't I. In 99% of the cases, a good network setup and real proxy servers are a much better choice (reliable and scalable) than using the equivalent CheckPoint solution. And just forget about CVP! CVP is a solution with no problem. Anything you can do with CVP is better done through other solutions, and with less headache. CVP is a cute "trick" that people seem to like to implement just because it is there. Just once I would like someone to give me a good reason for using CVP. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|