security & squid proxy...

[Tom Metro]

Grant M. wrote:
> I just finished setting up another Squid reverse-proxy...
> and I am wondering what the _real_ security benefits are over
> just opening port 80 on the firewall.

So the structure looks like this?

Internet -> Squid [DMZ] -> firewall -> web server


> So, given an up-to-date, fully patched server that is maintained that
> way, I am not sure how having the squid proxy is of any huge value.
...
> I do fully understand the idea of an exploit allowing an attacker to
> execute code as root on a compromisable server, but isn't this just
> as dangerous on the Squid box?

Consider the attack vectors against this setup:

Internet -> firewall -> web server

Presumably if your firewall is doing its job, the only means of access 
to the web server is port 80. So any successful attack depends on data 
being sent over port 80.

In the setup with just a firewall, there is nothing but Apache on the 
web server examining the content of the data on port 80. This means any 
flaws in Apache, like exploitable buffer overruns, can be taken 
advantage of.


> And how does a Squid proxy prevent one from doing that on the internal
> box, anyhow?

The general idea is that any proxy will sanitize the protocol, so the 
target server never sees things that might trigger an exploit. Because 
the proxy has a simpler job and design, it itself is less likely to have 
the same exploitable flaws as the server it is protecting.

Of course any real proxy might suffer from flaws of its own, or the 
target server might have flaws that can be exploited while sending 
perfectly valid data that complies with the protocol.

Personally, I'd rather do away with the overhead of a proxy (unless it 
is needed for the other benefits it provides) and have the web server in 
the DMZ, with indirect links to any resources needed behind the firewall.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/