RE: [squid-users] Squid + Policy-Based Routing +LoadBalancing/Clustering???

> Aaahhhh, I see your point. I wasn't thinking before I spoke. To bypass
> the normal route to the outside world would be in violation of our
> security policy and would set a precedent that I don't think our CIO is
> ready to defend
>

That sounds ... to me as a security consultant ... like you have a very
troubling security setup there. The load balancer _outside_ the FW
inaccessible to squid directly??

You should be considering both load balancer, squid and any other servers
as valuable company resources to protect from both internet and some
clients. FW outbound and inbound but not between them (unless your _very_
paranoid and have a FW on each machine ... which is a story for later...).

But that is all besides Henriks point. Which was...

Squid should be able to go out via FW directly for vetting not through a
load balancer which may easily circle the loop back to squid again , and
again, ....

Thus the paths should look like this ...

User->FW/Router->Balancer->Squid->FW->Internet
and
Internet->FW->Squid->FW/Router->User

FW and Router should be considered as fast like a switch, somthing that
can be traversed easily more than once, but only as an invisible hop to
elsewhere.

There is no need for squid to go through the balancer twice. The
squid->internet part _cannot_ be balanced at your end by the nature of the
protocols.
Doing so merely doubles the traffic going through your hardware. Not
exactly something you want to do under any circumstances.

Amos

pPS. Oh and PLEASE do not claim confidentiality on writing which are
published for the entire world to see in perpetuity.

>
> ===========================================================
>
> The information contained in this ELECTRONIC MAIL transmission is
> confidential. It may also be a privileged work product or proprietary
> information. This information is intended for the exclusive use of the
> addressee(s). If you are not the intended recipient, you are hereby
> notified that any use, disclosure, dissemination, distribution [other than
> to the addressee(s)], copying or taking of any action because of this
> information is strictly prohibited.
>
> ===========================================================
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
> Sent: Sunday, April 29, 2007 12:26 PM
> To: Fiero, Paul
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] Squid + Policy-Based Routing
> +LoadBalancing/Clustering???
>
> lör 2007-04-28 klockan 22:10 -0500 skrev Fiero, Paul:
>> Ack, that isn't the answer I was looking for. We do a load balancer
>> that we could use but, unfortunately it means traffic would go from
>> the router, through the firewall, through the load balancer, to squid,
>> back through the load balancer, back through the firewall then out to
>> the internet and then it would return through that path.
>
> Why? The load balancer path is only for traffic Clients->Squid, how Squid
> then fetches the content is irrelevant.
> Regards
> Henrik
>
>
>
Received on Sun Apr 29 2007 - 20:26:36 MDT