Hendrik Voigtländer writes:
>
>
> Discussion Lists wrote:
>> Hi Tom,
>> People should correct me if I am wrong, however a proxy server such as
>> squid doesn't know the difference between a legitimate web request, and
>> a malicious one. Both can, and in most cases are required to be
>> compliant with various networking RFC's. A malformed GET request, for
>> instance, done with just the right payload (no need to tweak it to work
>> with squid), and aimed at a sufficiently vulnerable windows box/service
>> is all it takes. Reverse-shell spawning payload would give the attacker
>> unlimited to your machine at that point. Since all a proxy server does
>> is forward web transactions, that service is nearly as vulnerable as if
>> the box was sitting naked on the Internet. So without knowing more
>> details, this comes down to a question of how well patched is your web
>> service?
>>
>> Hope that helps,
>> Mark
>>
> Hello,
>
> I have not (yet) used squid as a reverse proxy, but we had a similar
> discussion a couple of weeks ago in the office. A software vendor and the
> person responsible for the new service insisted using a reverse proxy for
> security reasons.
> My point of view is similar with yours, any request with the "right"
> payload will hit the webserver regardless if a reverse proxy is used or
> not.
> The only way to improve the situation could be a reverse proxy with
> filtering capabilities as provided by some firewall products.
> When implementing a reverse proxy based on free software I can only think
> of squid or apache with mod_proxy but IMHO both will not filter the
> requests. Am I on the right track?
Two of the best weapons squid has is its ACL list and authentication... I
have had a hacker doing their best to try to hack mine... Also moving to a
different port is a major plus for squid. It becomes less predictable and
less obvious.
I run squid on a 9 computer LAN with all the ACLs pointing to the exact IP
addresses rather than a generic netmask. This too has added to security. A
final note of security, it means more work, but well worth it, is assign IP
addresses, not DHCP. That is an accident waiting to happen, esp. with
wireless.
Depending of your setup, blocking all ip addresses that do not have a
reverse DNS entry is also a security plus.
I use these methods in my own security policy with excellent success. I
must emphasize though that a firewall is not the end of a security policy,
but merely the beginning.
If you are interested in adding to your security policy, have a look at
http://tanaya.net/BullDog
its GPL and free.
--- [ tanaya.net/Exim/Antiviral/CBBB20F7 ] ---
This message has been scanned with ClamScan, BitDefender, H+BEDV
AntiVir, and F-PROT antivirus software and has been determined to
be VIRUS FREE.
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT