Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Hey all, I'm posing this question because I really don't know the answer, Google didn't provide 'instant' satisfaction ;-), and I want to be able to explain it intelligently. If you know of any good online docs on this, please let me know. So, I just finished setting up another Squid reverse-proxy for another customer requiring it, and I am wondering what the _real_ security benefits are over just opening port 80 on the firewall. Here is the setup: o Newest Apache 2.0x server, running a 90% CGI app behind firewall * meaning that the caching isn't all that helpful o Solaris 10 server, patches are current as the web server. o Cisco pix firewall (no idea of the details) o Up-to-date Squid Proxy exposed on DMZ at port 80 (RHEL 4) * setup so that Sqiud can talk thru firewall to web server. So, given an up-to-date, fully patched server that is maintained that way, I am not sure how having the squid proxy is of any huge value. Is this just a 'feel-good' security measure? I do fully understand the idea of an exploit allowing an attacker to execute code as root on a compromisable server, but isn't this just as dangerous on the Squid box? And how does a Squid proxy prevent one from doing that on the internal box, anyhow? Any thoughts are welcomed, Grant M. -- Grant Mongardi Systems Engineer NAPC gmongardi at napc.com http://www.napc.com/ 781.894.3114 phone 781.894.3997 fax NAPC | technology matters >>>>>>>>>>>>>>>>>>>>>>>> Please make a note of our new HQ address as of May 23rd: 307 Waverley Oaks Road Waltham MA 02452
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |