Re: Windows as Proxy Server vs. other firewall approaches.....
From: Ron Lowe (ron.lowe_at_{DELETE}btopenworld.com)
Date: 06/24/04
- Next message: Joshua Paull: "Network adapter not noticed"
- Previous message: Thomas N: "Re: Access Denied Between XP Box."
- In reply to: Fred Marshall: "Windows as Proxy Server vs. other firewall approaches....."
- Next in thread: Fred Marshall: "Re: Windows as Proxy Server vs. other firewall approaches....."
- Reply: Fred Marshall: "Re: Windows as Proxy Server vs. other firewall approaches....."
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 24 Jun 2004 16:38:35 +0100
"Fred Marshall" <fmarshallx@remove_the_x.acm.org> wrote in message
news:eoEBinfWEHA.2408@tk2msftngp13.phx.gbl...
> I'm trying to read up on comparing a Windows-based proxy server (such as
> WinProxy) with NAT routers with stateful packet inspection (SPI). So, I'm
> very much in a learning mode.
>
> My problem is this:
>
> I can't tell to what degree proxy servers are still technologically
> advantageous in view of rapid evolution of DSL routers, etc.
> Most of my Google searches on "proxy server" find ads from the companies
> that sell proxy server software.
>
> I see the words regarding how communications are "stopped" at the proxy
> server but somehow I'm not convinced that this makes much difference from
a
> security point of view. "Stopping" and "translating" in some semantic
sense
> have to be the same thing don't they? Things can still get through can't
> they?
>
> Places to learn more would be appreciated.
>
> Comments regarding the clear advantage of a proxy server would also be
> appreciated! I'm trying to decide if a NAT / SPI or just NAT router
> cascaded with WinProxy makes sense.
>
> If you could have one or the other and not both, which would you use and
> why?
>
> My impression is that a non-transparent proxy server is a pain to
> administer. Is it worth it?
>
> Is a transparent proxy server setup any better than a NAT router?
>
> What questions should I be asking and have not?
>
> Thanks,
>
> Fred
>
>
>
Slightly simplified answer:
Proxy Servers and NAT are 2 different technologies
designed to achieve roughly the same end result:
Share an internet connection amongst several machines,
which all have private internal IP addresses not visible on the Internet.
Both also provide a degree of inherent firewalling,
even without any explicit firewall in them.
Proxy Servers accept eg HTTP requests from client machines on internal IP
addresses, and then pass on the HTTP request to the destination server using
the external IP address, on behalf of the client. The proxy becomes a
man-in-the-middle, appearing almost as a server to the client side, and as a
client to the external server.
To use a proxy server, you must set up a proxy server *per protocol*.
In otherwords, you need to set up an HTTP proxy, and FTP proxy, and so on
for every type of Internet access. Some protocols may not have a proxy
available for them, and some may require manual tweeking to work.
Also, you must set up the client to be proxy-aware so it sends it's requests
to the proxy rather than trying to send it directly to the site you wish to
connect to.
Examples of Proxy servers include WinGate an WinProxy.
NAT is another way of doing this, but it operates at a lower level.
Again, it sits as a man-in-the-middle, but it does on-the-fly translation of
the internal IP address and port numbers to the external IP address and port
numbers. You do not need to configure individual protocols, or set up the
clients to be aware of the NAT. It works invisibly low down at the IP level.
Although I say it works invisibly, like proxies,some protocols do not work
well with NAT, and may require some manual intervention or may not work at
all.
Windows XP has a built-in NAT program called Internet Connection Sharing.
So you shouldn't need any 3-rd party proxy or NAT programs.
Broadband routers all perform Internet Connection Sharing using NAT built in
to them.
You would only use 1 Internet sharing system on your network.
With XP, that would normally be NAT, either from ISC or a router.
Simplest and most reliable is a router.
Next best choice would be XP ICS.
LAst choice would be a 3-rd party NAT or proxy.
I tend to favour NAT over proxies because of their ease of use.
Do you need a firewall as well as NAT?
Probably.
NAT blocks unsolicited inbound connections naturally.
It permits replies to your outbound connections.
So it's statefull by design.
But it does nothing to block unexpected outbound connections originating
from within your network.
Also, it's a border device and does nothing to inspect traffic between the
machines on your LAN.
So for those reasons, I'd be inclined to run a host firewall on each
internal machine too.
The Windows XP firewall is not easily configurable to permit file and print
sharing from the
LAN, so on a network behind NAT, I'd not use it.
At the moment, I'd use the free version of ZoneAlarm.
XP-SP2 will include a better firewall too.
-- Best Regards Ron Lowe MVP - Windows Networking
- Next message: Joshua Paull: "Network adapter not noticed"
- Previous message: Thomas N: "Re: Access Denied Between XP Box."
- In reply to: Fred Marshall: "Windows as Proxy Server vs. other firewall approaches....."
- Next in thread: Fred Marshall: "Re: Windows as Proxy Server vs. other firewall approaches....."
- Reply: Fred Marshall: "Re: Windows as Proxy Server vs. other firewall approaches....."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
