Re: Squid and DMZ network from Scott Hess on 1999-10-20 (squid-users)

From: Scott Hess <scott@dont-contact.us>
Date: Wed, 20 Oct 1999 08:30:55 -0700

That should all work fine, but... it seems to me the question should be
whether you a) want the Squid accessable from the DMZ, and b) whether you
want to let anyone who breaks the DMZ to be able to see Squid client
traffic.

a) can be addressed by firewall rules on the exterior firewall, but is
probably better addressed by the interior firewall (which probably says
something like 'No incoming connections at all'). b) may be the more
important. You generally use the DMZ as an area to deploy
Internet-accessable hosts. If someone cracks a host on the DMZ, they don't
have unrestricted access to your internal traffic. Since Squid is
presumably only to be used by your internal users, and should never be
Internet accessable, it should live inside the interior firewall. With
Squid on the internal network, someone who's cracked the DMZ will see your
aggregate web traffic - if it's on the DMZ, the cracker can more easily see
streams of http requests associated with individual workstations.
Furthermore, the cracker can see all of your http traffic, including cache
hits (I don't know why I don't like that - probably just because the less
traffic across the firewall, the better :-).

I'm not sure what the opint about only one network card is aiming at,
though. Squid can be on the internal network with only one network card,
too.

Later,
scott

----- Original Message -----
From: Suresh Ganu <suresh.ganu@pmxindustries.com>
To: <squid-users@ircache.net>
Sent: Wednesday, October 20, 1999 6:26 AM
Subject: Squid and DMZ network

>
> Hello:
>
>
> I am running Squid2.2STBL3 on a RedHat5.2 for a while without any major
problems. My squid talks to another Linux server with FTWK, which acts as
a cache parent to squid.
>
> Nowadays, newer firewalls allow for three network connections, 1)
Internet, 2) Protected, and 3)DMZ for mail servers, Web systems, Customer
access servers, etc. Firewall then controls the 3way access by
IPAddress/port mapping filters.
>
> I have two questions:
>
> 1) Can I run squid without any parent, i.e. Direct access to Internet
through a firewall?
>
> 2) Can I run squid on a DMZ network off a firewall? Now my system will
have only one Network card.
>
> My users will first connect to Squid server on the DMZ network, then
squid system will redirect requests to the Internet.
>
> Thanks..
>
Received on Wed Oct 20 1999 - 09:44:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:49:00 MST