On Mon, Dec 27, 1999 at 08:58:08AM +0100, Heinz Ahrens wrote:
> Hallo Squid-Users,
>
> someone in our company wants to use squid in the DMZ between our 2
> firewall-systems.
>
> Both (intern and extern) are only filtering-firewalls, but is this
> correct.
I think this is actually a good solution. Two reasons:
1) You could then implement some additional filters on the firewalls,
allowing only outgoing proxy connections *to* Squid from inside the
inner firewall, and only outgoing HTTP connections *from* Squid from
the outer firewall. (If you have stateful firewalls, additionally
block all incoming connections to the Squid server that are not in
response to an outgoing connection by the Squid server.) That
significantly narrows the avenues for attack on your network.
2) The Squid server is itself a potential target for attack. Putting
it outside the inner firewall reduces the damage that could be done
if it's compromised, similar to the usual recommendations to put any
public-accessible web server outside the inner firewall.
> I think it is better to use squid only in the LAN and then implement an
> http-gw (perhaps from TIS) on the first (intern) firewall. Or SOCKS or
> something else.
This also works. There are many ways to do it, but I think I might
actually favor the first proposal, if I were designing the network
security.
-- Clifton
Disclaimer: I'm not a security expert; consult a real expert if you
want an expert opinion.
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net
"An absolute monarch would be absolutely wise and good.
But no man is strong enough to have no interest.
Therefore the best king would be Pure Chance.
It is Pure Chance that rules the Universe;
therefore, and only therefore, life is good." - AC
Received on Mon Dec 27 1999 - 12:50:18 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:06 MST