0

I have set up proxy (using Sophos gateway) for PC's and we are using whitelist (so users can only access web pages that are allowed).

Is it good security practise to use proxy on servers too?

What would be the benefits and waht would be downsides?

I'm guessing allowed ports that are used for everyone, but still better than open internet, right? Or is the open internet from servers ok, if it is not used for browsing, just for different applications that are using it?

Edit: Or is it better to just use firewall (upside for proxy is that you can allow web addresses not just ip addresses which can change)?

SheldonCopper
  • 3
  • 4

2 Answers2

0

It really depends on the proxy. TANSTAAFL. If the proxy servers only job is to act as a proxy for a single server, with no added processing or functionality, you are no better off - and possibly worse off them just using a firewall... But that's not the full picture.

I'd you have a proxy you can use it to enhance security in a number of ways, including doing additional checks on the content being sent and received, adding additional authentication and, of-course, making your web server invisible and unreachable from the outside world - and in such a way that can provide an additional layer of security if done right, and if merited.

Of-course the benefits of a proxy are not limited (or in my opinion even significantly) related to security. Any security in a proxy would almost be a side benefit to the real purposes, like load sharing, https offload, fail over, content caching, address rewriting and unifying if multiple resources.

davidgo
  • 6,222
  • 3
  • 23
  • 41
0

There are many scenarios in which you would want to add some kind of proxy and there are plenty of products out there (hardware and software). We use a FortiGate as a gateway / router / firewall combined. With subscription you can add features like Anti-Virus, IPS, SSL Inspection, Web filter, DLP and more.

That being said, I highly recommend using at least some kind of firewall except for the built-in firewall the OS (if it is windows) has. In general letting a server browse freely is not such a good practice, of course this depends a little bit on how valuable is the information on the server or the services running on it.

Speaking of FortiGates (I do not really know the Sophos ones, because we only use the UTM module of it), even without subscription you can open / close specific ports, forward ports etc. It gives you plenty of flexibility to control between your local subnets or the internet, which IP can talk to which etc. For blocking / allowing specific URLs however you would need the Web filtering functionality (subscription).

Benefits

  • Fine grained control over the traffic
  • Increases security a lot (especially when adding functionality like mentioned above)

Downsides

  • Latency (depending on the product)
  • Configuration

DISCLAIMER

I am not affiliated in any way with FortiNet / FortiGate, just a consumer using them and being happy with them.

josibu
  • 179
  • 1
  • 4
  • 10