[squid-users] Squid and MailScanner outside DMZ using Kaspersky

From: Paul Welsh <[email protected]>
Date: Tue, 23 Jan 2007 00:37:32 -0000

I work for a company of 100+ people in the UK. We use MS ISA 2004 running
SurfControl. We use www.MessageLabs.com for email scanning and web content
scanning. The web scanning works by pointing our ISA server to an upstream
proxy at MessageLabs. This works well and has minimal administrative
overhead but it is rather expensive at about GBP5,000 per year.

There are various web scanning applications out there that sit on the ISA
server such as the one from Kaspersky labs -
http://www.kaspersky.com/anti-virus_ms_isa_server. This will work out
significantly cheaper than using the Messagelabs web scanner. However, I
worry about the performance and reliability of installing both this and
SurfControl on my ISA server.

Today I came across Kaspersky's Anti-Virus for Proxy Server which requires
Squid - http://www.kaspersky.com/anti-virus_linux_proxy_server. Using this
on a Linux box and pointing the ISA server at it as an upstream proxy would
appear to get around my concerns about reliability and performance.

Having such a server might also allow me to install MailScanner -
www.mailscanner.info - with SpamAssassin and a couple of anti-virus products
and use it as a replacement for the MessageLabs mail scanning service.
Voila, 2 invoices killed with one server!

I have several questions:

1. Can the Squid server handle being a mail server too? I'd invest in
something like a HP DL360 rackmount server with say a 3.x GHZ processor, 1
GB RAM and 2 x 70 GB or 140 GB disks in a RAID 10 configuration. We're not
heavy mail users.

2. Having thought about the network topology I am seriously considering
putting two NICs in the Squid server, one on the DMZ of the ISA server and
the other on the Internet using one of our spare public IPs. This would get
around what I see as a potential performance issue of the ISA server passing
requests for web sites to the Squid server over the DMZ connection and the
Squid server then passing the same request to the Internet via the DMZ port
of the ISA server. Does this make sense, or am I exaggerating the
performance hit on the ISA server and would be better off just putting the
Squid server on the DMZ with a single NIC and using rules on the ISA server
to allow it access to the Internet etc? Bear in mind the Squid server will
be used for SMTP too so I'd need to permit incoming SMTP via the ISA server,
etc.

3. How about if I give the Squid server its own high speed ADSL connection?
I'd do this to conserve bandwidth on our expensive leased line (bandwidth
needed for incoming requests to our web servers). In this scenario, which
is a likely change within the next few months, I believe I'd need to put a
2nd NIC in the Squid server and pass all web requests over that 2nd card to
the ADSL connection with web page requests from the ISA server going over
the DMZ. Does this make sense? Clearly, the Squid server would need to run
firewall software or use simple port forwarding on the ADSL router.

4. I could simply leave things as they are. The current system works fine
and the company can afford the GBP5k or so per year that we currently pay.
By taking web page scanning and mail scanning in-house I get administrative
hassle and end up relying on one server rather than utilising the hundreds
of servers and human resources that a company like MessageLabs has to draw
on.

Thanks for reading this far and I welcome any comments or advice.

-- 
512k Broadband �14.99 per month
Unlimited Downloads - No extra Costs
�14.99 per month (inc. VAT)
Order Now www.adsl4less.com
Received on Mon Jan 22 2007 - 17:37:46 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST