[212] in WWW Security List Archive
CERN httpd proxy vs. SOCKS
daemon@ATHENA.MIT.EDU (John Thomas)
Sat Nov 5 14:20:12 1994
From: <jthomas@almaden.ibm.com> (John Thomas)
To: Jim Hart <hart@chaos.bsu.edu>
Cc: socks@syl.dl.nec.com, www-security@ns1.rutgers.edu
In-Reply-To: Your message of Sat, 05 Nov 94 00:13:59 EST.
<199411050514.AAA13985@chaos.bsu.edu>
Date: Sat, 05 Nov 94 09:09:31 -0800
Reply-To: <jthomas@almaden.ibm.com> (John Thomas)
>
> What is the difference between using CERN httpd proxy server
> and SOCKS to run X/Mosaic and other browsers through a firewall?
> Which choice allows me to run the widest variety of web browsers
> with none or minimal modification? Does there exist
> detailed documentation describing these two choices (if
> indeed I have even correctly framed this as a choice between
> the two options, rather than a combination?)
>
> thanx,
> Jim Hart
> hart@chaos.bsu.edu
This has come up before. The advantages of the CERN proxy is that
almost all WWW clients will work with it without any modifications
(proxy support is usually built in so you just need to set the
proxy address). You also have the option of caching which may help
somewhat on network traffic. The disadvantage is that the CERN httpd
is a huge piece of code and although it is distributed in source,
I would not want to have to state to the security police that I have
verified that it is safe.
SOCKS on the otherhand, does require that you modify some clients but
most clients are now shipping with SOCKS built in. There may be
problems with getting Windows clients to work with SOCKS???
It is a much smaller piece of code and could be made even
smaller if it would seperate the client part from the socksd part.
It also supports some non-WWW clients like rftp, rfinger and rtelnet
You can combine them. You can run SOCKS on your firewall and use that
for socksfied clients. You can then socksify the CERN httpd and run
a caching httpd server inside your firewall that can be used for
clients that cannot be socksified and/or want caching.
This is the approach that we are using.
--------
John Thomas Almaden Research Center
(IBM-VNET)JTHOMAS at ALMADEN K55/801
(Internet)jthomas@almaden.ibm.com 650 Harry Road
(408)927-2668 (tie)457-2668 (Fax)927-4002 San Jose, CA 95120
