security & squid proxy...

[gmongardi at napc.com (Grant M.)]

Hey all,
    I'm posing this question because I really don't know the answer,
Google didn't provide 'instant' satisfaction ;-), and I want to be able
to explain it intelligently. If you know of any good online docs on
this, please let me know.
    So, I just finished setting up another Squid reverse-proxy for
another customer requiring it, and I am wondering what the _real_
security benefits are over just opening port 80 on the firewall. Here is
the setup:
   o Newest Apache 2.0x server, running a 90% CGI app behind firewall
        * meaning that the caching isn't all that helpful
   o Solaris 10 server, patches are current as the web server.
   o Cisco pix firewall (no idea of the details)
   o Up-to-date Squid Proxy exposed on DMZ at port 80 (RHEL 4)
        * setup so that Sqiud can talk thru firewall to web server.

So, given an up-to-date, fully patched server that is maintained that
way, I am not sure how having the squid proxy is of any huge value. Is
this just a 'feel-good' security measure? I do fully understand the idea
of an exploit allowing an attacker to execute code as root on a
compromisable server, but isn't this just as dangerous on the Squid box?
And how does a Squid proxy prevent one from doing that on the internal
box, anyhow?

Any thoughts are welcomed,
Grant M.
-- 
Grant Mongardi
Systems Engineer
NAPC

gmongardi at napc.com
http://www.napc.com/
781.894.3114 phone
781.894.3997 fax

NAPC | technology matters
>>>>>>>>>>>>>>>>>>>>>>>> Please make a note of our new HQ address as of
May 23rd: 307 Waverley Oaks Road  Waltham MA 02452