| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] [Re: [FW-1] HTTP security server woes on NG... frustra tion levelrising...]
- To: [email protected]
- Subject: Re: [FW-1] [Re: [FW-1] HTTP security server woes on NG... frustra tion levelrising...]
- From: Jeff LaCoursiere <[email protected]>
- Date: Tue, 11 Jun 2002 10:53:22 +0200
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Well he did say that it made sense in some small environments, and I think a two ip site might classify. Not a good enough reason in my opinion, though, as you could just as easily setup a DMZ for the dedicated servers and not use up any public IPs.
Jeff LaCoursiere
Infrastructure Specialist
T-Motion
-----Original Message-----
From: Michael S. Hobbs [mailto:[email protected]]
Sent: 11 June 2002 00:16
To: [email protected]
Subject: Re: [FW-1] [Re: [FW-1] HTTP security server woes on NG...
frustration levelrising...]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I do agree with all of your points, but what if you are short on ip space? Wouldn't using a security server allow you to use your FW's ip instead of allocating one for SMTP or HTTP? I have a small fledgling network consulting business and right now we have 2 ip's available to us. (Now we could probably get more, but let's say we couldn't at the moment) We use the smtp security server to redirect our mail traffic in to our mail server. Of course, the security server isn't doing anything in the way of header filtering, that's done via sendmail but it allows us to use the other ip for a web server or some other DMZ host. I guess my point is that everything has its place. Just my 2 cents.
Michael S. Hobbs A+, MCP
Unicon, Inc.
OfficeMobileFax- -----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Don
Sent: Monday, June 10, 2002 12:44 PM
To: [email protected]
Subject: Re: [FW-1] [Re: [FW-1] HTTP security server woes on NG... frustration levelrising...]
> So what would you say are the ways in which the Security Servers should
> be used? Just curious, not a loaded question or anything.
I don't think they should be used all although they can make sense in
small environments and as a temporary solution to (for example) a virus
threat or something similar.
Why would you use the HTTP security server on CheckPoint? It adds load to
your firewall, results in more potentially vulnerable code that needs to
be run on the firewall itself, etc.
Why wouldn't you set up a dedicated web proxy to handle these connections?
A dedicated web proxy is designed specifically for this sort of task. It
is more efficient, keeps the load off your firewall, can do caching, is
easily configured either on the client or through the use of WCCP, etc. If
you want to do virus scanning or URL filtering, you can do it right on the
proxy. If you use CheckPoint you will still need a seperate box.
What about SMTP? There is _no_ reason to use CheckPoint as an SMTP proxy.
Postfix, Exim, and qmail are extremely capable MTA's, don't cost a thing,
have performance far in excess of what CheckPoint offers, are more
configurable, and more scalable. Want more SMTP bandwidth? Fine, just add
more relays. Want anti-virus? Fine, just use MimeSweeper as your relay.
Considering the way SMTP is handled in DNS, there is no reason fo rthe
firewall to become involved with this sort of traffic.
A good question to ask yourself is: Why _should_ I use the security
server not why shouldn't I. In 99% of the cases, a good network setup and
real proxy servers are a much better choice (reliable and scalable) than
using the equivalent CheckPoint solution.
And just forget about CVP! CVP is a solution with no problem. Anything you
can do with CVP is better done through other solutions, and with less
headache. CVP is a cute "trick" that people seem to like to implement
just because it is there.
Just once I would like someone to give me a good reason for using CVP.
- -Don
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPQUzSSlHPLksEJRBEQKJ3ACg0vicrLUWuox6fns7vJ77YhgendwAoK1c
SN+EK09up/3qY8Qm5IV/+S4i
=BiSl
-----END PGP SIGNATURE-----
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
