Replacing existing firewalls with PIX's

j-blackmore · ‎06-15-2004

Hello,

I am working on replacing our existing aix firewalls with the 515 or 525. The only thing I am not sure about is http proxy. We currently use transparent proxy for web surfing and ftp's on the aix fw's. Can the PIX support this?

Thank you!

aacole · ‎06-16-2004

The PIX does not provide an HTTP application layer proxy service, instead it provides cut through proxy. This service permits a user to authenticate against an internal or external user database. Once a valid username and password has been entered, (an application layer challenge), the PIX allows the data flow through according to the policy rules. The point is that this makes for far better performance as the firewall is not inspecting packets at the application layer.

However some customers I deal with prefer to use the PIX as their firewall and also provide proxy servers for HTTP users as well.

j-blackmore · ‎06-16-2004

How about a proxy server such as Squid?

Thank you for your reply.

aacole · ‎06-16-2004

I'm not familiar with Squid, but the principle would be the same for implementing it with a PIX.

Your browsers would be configured to use the proxy, and the PIX would have a rule on the inside interface only allowing outbound HTTP connections from the proxyserver IP address. This stops any use from simply firing up a browser and bypassing your proxy.

However you may well find that you get better performance using the cut through proxy feature on the PIX, as once authenticated the user has direct Internet access. if you have a fast Internet connection then it should out perform a proxy based connection.

Is performance or URL monitoring and control your main goal?