security & squid proxy...
Grant M.
gmongardi at napc.com
Tue Aug 8 07:22:44 EDT 2006
Hey all,
I'm posing this question because I really don't know the answer,
Google didn't provide 'instant' satisfaction ;-), and I want to be able
to explain it intelligently. If you know of any good online docs on
this, please let me know.
So, I just finished setting up another Squid reverse-proxy for
another customer requiring it, and I am wondering what the _real_
security benefits are over just opening port 80 on the firewall. Here is
the setup:
o Newest Apache 2.0x server, running a 90% CGI app behind firewall
* meaning that the caching isn't all that helpful
o Solaris 10 server, patches are current as the web server.
o Cisco pix firewall (no idea of the details)
o Up-to-date Squid Proxy exposed on DMZ at port 80 (RHEL 4)
* setup so that Sqiud can talk thru firewall to web server.
So, given an up-to-date, fully patched server that is maintained that
way, I am not sure how having the squid proxy is of any huge value. Is
this just a 'feel-good' security measure? I do fully understand the idea
of an exploit allowing an attacker to execute code as root on a
compromisable server, but isn't this just as dangerous on the Squid box?
And how does a Squid proxy prevent one from doing that on the internal
box, anyhow?
Any thoughts are welcomed,
Grant M.
--
Grant Mongardi
Systems Engineer
NAPC
gmongardi at napc.com
http://www.napc.com/
781.894.3114 phone
781.894.3997 fax
NAPC | technology matters
>>>>>>>>>>>>>>>>>>>>>>>> Please make a note of our new HQ address as of
May 23rd: 307 Waverley Oaks Road Waltham MA 02452
More information about the Discuss
mailing list