Re: [squid-users] Massive problems with https connections to Domino Server (long)

From: Rainer Traut <rainer.traut@dont-contact.us>
Date: Wed, 11 Feb 2004 16:17:52 +0100

Hi,

> Give me an example of some security measure which you
> can accomplish with squid but not with masquerading
> using iptables.
>
> If you can't, maybe you need to think first what exactly you are
> trying to accomplish. I hope you arent thinking "I do not exactly
> know why, but folks said it is more secure"? ;)

Ok, here are some reasons:
- you can have more simple firewall rules.
Don't underestimate, they are getting complex in bigger networks.
- you can block other programs like icq.
Only way of really blocking things like icq I can think of is
by changing dns resolution for these hosts. simply done on the proxy
server and not for the whole network.
- simple squid acls I already mentioned
- I trust squid/linux more than windows in any kind of network operation

> If you do need some filtering via squid, at least make it
> transparent and unavoidable for your users. Now you have to
> set up each user's IE to use squid, right? Nothing prevents
> them from reenabling direct access to Inet.

- you can prevent users from reenabling proxy settings easy
- proxy settings are delivered to the client by our novell server, no
need to do this by hand
- users are not allowed to go directly, this was just a test, but I
already mentioned that, sorry if that was not clear.
- authentication does not work with transparent proxy, we are currently
not using it, but will in the future

Raiiner
Received on Wed Feb 11 2004 - 21:25:30 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST