Re: [SQU] pix firewall and squid

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sat, 9 Dec 2000 09:49:26 +1100

You should probably spend a bit of time on www.securityfocus.com, and also search the fw-wizards mailing list archives before making
your decision.

My preferred configuration for most sites is

external FW
   |
   |
  --------DMZ LAN ---------
   | | |
   | gatewaysquid1 .. gatewaysquidn
internal FW
   |
   |
   ------------internal LAN -----------
    | | |
   squid1 squid2 .. squidn ... as many as needed in a farm.

the squid1...3 are the only machines that can use port 80 & 443 thru the internal FW. They can only talk to the gateway squid boxes.
(execpt for SSL which I usually allow straight out from the internal squids.

The internal squids run user authentication, request redirection, content filtering and the like. They also have the big disks :]

The gateway squid servers are just that: http gateways. As long as the request comes from squid1-n they allow it through. They have
small disks and no user authentication or redirection. The gateway squids also perform via header stripping and any other
anonymisation you may need. (They have to be the ones to do that).

Of course you need a pretty big install to go beyond one squid1 and squidgateway1 (unless redundancy is important to you).

What is the rational here?

a) Defence in depth: an attack only sees the gateway squid(s), and they are protected by the external firewall. They are not allowed
to make connections through the internal firewall, so an intrusion on the squid server is of less danger to the corporate network.
b) Firewall configuration: in a minimal configuration, only two machines have access - squid1 to squidgateway1 on 80 and 443 and
squidgateway1 to the internet on safe_ports. Simpler firewall rules can also make a difference on heavily loaded firewalls.

So the quick answer (IMO) is yes: it is better to have an external and internal proxy talking. However your 'external' proxy should
still be protected by another firewall from the big bad net.

Rob

----- Original Message -----
From: "Cardinal Christopher" <Christopher.Cardinal@sms.siemens.com>
To: "'squid-users@IRCACHE.NET'" <squid-users@ircache.net>
Sent: Saturday, December 09, 2000 4:07 AM
Subject: [SQU] pix firewall and squid

> We are using Netscape Proxy and are thinking of moving to Squid. We are also
> moving from Raptor Firewall to PIX. Q: Is it better to have an internal
> Proxy and an external proxy talk through the PIX firewall, rather than one
> internal Proxy send all requests to the Internet from the PIX firewall? Any
> pros and cons? Thanks.
>
> C
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Dec 08 2000 - 15:45:09 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:53 MST