On Wednesday 11 February 2004 17:17, Rainer Traut wrote:
> Hi,
>
> > Give me an example of some security measure which you
> > can accomplish with squid but not with masquerading
> > using iptables.
> >
> > If you can't, maybe you need to think first what exactly you are
> > trying to accomplish. I hope you arent thinking "I do not exactly
> > know why, but folks said it is more secure"? ;)
>
> Ok, here are some reasons:
> - you can have more simple firewall rules.
> Don't underestimate, they are getting complex in bigger networks.
Doable with iptables
> - you can block other programs like icq.
> Only way of really blocking things like icq I can think of is
> by changing dns resolution for these hosts. simply done on the proxy
> server and not for the whole network.
Doable with iptables (block by port#)
> - simple squid acls I already mentioned
Ok this is valid 8)
> - I trust squid/linux more than windows in any kind of network operation
iptables aren't Windows stuff either :)
> > If you do need some filtering via squid, at least make it
> > transparent and unavoidable for your users. Now you have to
> > set up each user's IE to use squid, right? Nothing prevents
> > them from reenabling direct access to Inet.
>
> - you can prevent users from reenabling proxy settings easy
Yes. I thought more about scalability. What is easier -
setting up xparent squid on one box (router) or configuring
Windows on thousands of user boxes?
> - proxy settings are delivered to the client by our novell server, no
> need to do this by hand
> - users are not allowed to go directly, this was just a test, but I
> already mentioned that, sorry if that was not clear.
What can you do against someone plugging into your intranet
a preconfigured laptop which will NOT ask novell about anything
before going direct?
> - authentication does not work with transparent proxy, we are currently
> not using it, but will in the future
Wow. I'm not familiar with this stuff...
-- vdaReceived on Wed Feb 11 2004 - 11:26:33 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST