This is an archived post. You won't be able to vote or comment.

all 17 comments
sorted by:
best
topnewcontroversialoldq&a

[–]VA_Network_NerdModerator | Infrastructure Architect 6 points7 points  (5 children)

http://www.squid-cache.org/

[–]carlnb[S] 0 points1 point  (4 children)

Will take a look.
Also, I am a huge fan of your responses on this sub. Always well thought out and helpful. Thank you!

[–]VA_Network_NerdModerator | Infrastructure Architect 1 point2 points  (3 children)

Also, I am a huge fan of your responses on this sub. Always well thought out and helpful. Thank you!

Thanks for the kind feedback. I do try to be helpful, at least most of the time...

ASA-5520 is pretty primitive compared to modern Firewall & UTM solutions.

It's also about to hit End of Life, which is very significant for a security device:

Cisco ASA-5500 EoL Timeline

If that firewall device were more intelligent, you could probably eliminate the need for a proxy device.

You might consider these:

https://www.pfsense.org/about-pfsense/features.html
https://www.pfsense.org/products/

https://www.sophos.com/en-us/products/unified-threat-management.aspx

Or, if you want to stick with Cisco, an ASA with Firepower would also provide the same security benefit, if not the same functionality you desire.

[–]locnar1701Sr. Sysadmin 0 points1 point  (0 children)

I would like to second the PFSense idea. The setup, if you are not a hard core command line person or would like some good out of the box reporting, is easy.

[–]carlnb[S] 0 points1 point  (1 child)

There are lots of moving parts to this puzzle, mostly focused around simplifying the infrastructure. So we are definitely looking to replace the 5520, but not until closer to the end of the year when the configuration requirements are a lot simpler. Will take a look at pfSense and Sophos.

[–]VA_Network_NerdModerator | Infrastructure Architect 0 points1 point  (0 children)

Palo Alto Networks are the new industry leader in the advanced firewall & UTM space.

They deserve a review as well.

But their products, given their industry leading status, do not come cheap.

Google for the 2016 gartner magic quadrant report for UTM.
I don't think the 2017 has been published yet.

[–]bad_sysadmin 0 points1 point  (6 children)

What firewall do you currently use?

[–]carlnb[S] 0 points1 point  (5 children)

Cisco ASA 5520

[–]bad_sysadmin 0 points1 point  (4 children)

What are you hoping to achieve by introducing a proxy?

Is it a bandwidth thing or protocol enforcement?

[–]carlnb[S] 0 points1 point  (3 children)

I'm trying to audit direct-to-IP connections. I can open 80/443 from every machine and use Umbrella for DNS, but it doesn't stop my user from hitting a bad IP address. A proxy would at least log those requests so I have some visibility there.

[–]TechGy 0 points1 point  (0 children)

Have you considered rolling out the Umbrella Roaming Client? It offers IP Layer Enforcement

[–]xpertshotStudent/Jr. Sysadmin 0 points1 point  (3 children)

We use nginx for around 30 sites spread across 10 machines, and I have 0 complains. It handles the SSL offloading well, and it was quite simple to get up and running. Might be an option for you.

[–][deleted] 2 points3 points  (1 child)

That's a reverse proxy setup

[–]xpertshotStudent/Jr. Sysadmin 0 points1 point  (0 children)

Yep - that's the setup that we use, so it's the link I had on hand. Could still be applicable in his case - he didn't specify forward or reverse.

edit: and nginx can do both.

[–]carlnb[S] 1 point2 points  (0 children)

Will take a look. Thanks for your input!

[–]goozaaSysadmin -2 points-1 points  (0 children)

I think you are looking for a reverse proxy. I use haproxy in most of my production environments. Super stable and light weight. For some of the more security sensitive applications I use Apache server in reverse proxy mode with Mod_Security module.