| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] [Re: [FW-1] HTTP security server woes on NG... frustration levelrising...]
- To: [email protected]
- Subject: Re: [FW-1] [Re: [FW-1] HTTP security server woes on NG... frustration levelrising...]
- From: Don <[email protected]>
- Date: Mon, 10 Jun 2002 15:44:26 -0400
- In-reply-to: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAEMtrQbCw6UWlUXn1i/lg58KAAAAQAAAAsiI/[email protected]>
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
> So what would you say are the ways in which the Security Servers should
> be used? Just curious, not a loaded question or anything.
I don't think they should be used all although they can make sense in
small environments and as a temporary solution to (for example) a virus
threat or something similar.
Why would you use the HTTP security server on CheckPoint? It adds load to
your firewall, results in more potentially vulnerable code that needs to
be run on the firewall itself, etc.
Why wouldn't you set up a dedicated web proxy to handle these connections?
A dedicated web proxy is designed specifically for this sort of task. It
is more efficient, keeps the load off your firewall, can do caching, is
easily configured either on the client or through the use of WCCP, etc. If
you want to do virus scanning or URL filtering, you can do it right on the
proxy. If you use CheckPoint you will still need a seperate box.
What about SMTP? There is _no_ reason to use CheckPoint as an SMTP proxy.
Postfix, Exim, and qmail are extremely capable MTA's, don't cost a thing,
have performance far in excess of what CheckPoint offers, are more
configurable, and more scalable. Want more SMTP bandwidth? Fine, just add
more relays. Want anti-virus? Fine, just use MimeSweeper as your relay.
Considering the way SMTP is handled in DNS, there is no reason fo rthe
firewall to become involved with this sort of traffic.
A good question to ask yourself is: Why _should_ I use the security
server not why shouldn't I. In 99% of the cases, a good network setup and
real proxy servers are a much better choice (reliable and scalable) than
using the equivalent CheckPoint solution.
And just forget about CVP! CVP is a solution with no problem. Anything you
can do with CVP is better done through other solutions, and with less
headache. CVP is a cute "trick" that people seem to like to implement
just because it is there.
Just once I would like someone to give me a good reason for using CVP.
-Don
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
