On Tue, 23 Mar 1999, Marc van Selm wrote:
> A firewall is a security device intended to protect internal hosts. Squid is a
> caching proxy. Security is not the intention here. You could integrate
> squid in
> a firewall setup (Is that wise? I guess not.)
>
> Marc
My $0.02 on this is that, architecturally speaking, it is _very_ easy to
integrate Squid into a firewall, and it's actually a really good approach
to carrying web traffic over your network border. And it's very very fast.
Of course, I wouldn't advise compiling Squid to actually _run_ on your
firewall. In most cases it would be slow, and lead to drastic reduction in
reliability.
The approach I use is to string a DMZ off the firewall and put a Squid
box on there. It's configured to barely cache, and it runs loads of
dnsservers.
I have an internal Squid box, which has the 16Gb cache on it. This box
accepts requests from clients, and is permitted through the firewall to
pass those requests to the DMZ box as a parent. The DMZ Squid has Internet
visibility (once again, through the firewall) and completes the
transaction.
Some may find this approach to be overkill, but in an environment where
nothing inside the firewalls can see the Internet, or even resolve
Internet hostnames, and where network borders are strictly enforced, it is
a very efficient way of running the show. And the bottom line is, this is
architecturally identical to running Squid on your firewall, but without
the problems.
Rgds
Richard
---------------------------------
Richard Stagg
Internet Architect
squid@bae.co.uk
Received on Tue Mar 23 1999 - 02:35:42 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:23 MST