Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

security & squid proxy...



On Tue, Aug 08, 2006 at 07:22:44AM -0400, Grant M. wrote:
> So, given an up-to-date, fully patched server that is maintained that
> way, I am not sure how having the squid proxy is of any huge value. Is
> this just a 'feel-good' security measure? I do fully understand the idea
> of an exploit allowing an attacker to execute code as root on a
> compromisable server, but isn't this just as dangerous on the Squid box?
> And how does a Squid proxy prevent one from doing that on the internal
> box, anyhow?

Here are the useful security attributes of squid:

- cached URLs are served directly from squid, so repeat requests
  don't interact with the server at all. This can alleviate some
  DOS attacks.

- ACLs and filters can be applied. This can exclude known bad
  guys, or restrict requested URLs to just those that fit a
  particular regex.

- delay pools can limit bandwidth either for particular servers
  or clients.

Except for the first feature, you need to explicitly configure
and regularly maintain a squid cache to keep getting security
benefits from it.

-dsr-




-- 
-. ---   -- --- .-. .   ... . -.-. .-. . - ... 
..-. ..- -.-. -.-   - .... .   -. ... .- 
..-.   ..-   -.-. -.   .-. -..   - .... ...   ..-   -.- -. .--   -.-. -..





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org