Re: [squid-users] Security Concerns from Amos Jeffries on 2008-11-06 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 7 Nov 2008 13:19:00 +1300 (NZDT)

> On Thu, 2008-11-06 at 14:52 +0000, David Hurcomb wrote:
>> Hello,
>>
>> I am running Squid on a Linux box which is also hosting a customer
>> database (Oracle).
>>
>> I am concerned that by having the Proxy server on the same box as the
>> database that I am introducing an increased security risk.
>>
>> e.g. an exploit in squid might mean that a hacker is able to gain access
>> to my customer database.
>>
>> Assuming that my network is locked down so that the (external router)
>> firewall has blocked all WAN->LAN traffic to our network on all ports am
>> I correct in assuming that....
>>
>> The only weakness is from an security exploit to squid being initiated
>> from inside our network.
>>
>> The network user might potentially be duped to go to a boobytrapped web
>> page which has the potential to exploit a security weakness in squid
>> itself.
>>
>> Thanks in advance for your answers, I would like to be able to sleep
>> soundly that my proxy server is not a security risk to my data.
>
> You did not ask any questions. In general, you are correct that adding
> applications to a server increases your security risks. Hopefully, the
> benefits of those applications outweigh the risks.
>
> In Squid's case, you can (and should) mitigate some of the risks by
> running Squid using a non-privileged user account which is different
> from the database user account. If Squid is compromised and Linux is
> not, you may lose connectivity but not the database.
>

There is a list of advisories against certain older Squid releases.
http://www.squid-cache.org/Advisories/

In the end it comes down to, use the latest Squid available (2.7.STABLE5
or 3.0.STABLE10) and be careful with the access controls you configure.

If you are in a security critical situation, stay away from transparent
interception. There are complicated but possible avenues for abusing
transparent proxies for web access (but none known that would affect
non-web software without a badly insecure config).

Amos
Received on Fri Nov 07 2008 - 00:19:06 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 07 2008 - 12:00:03 MST