Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Grant M. wrote: > I just finished setting up another Squid reverse-proxy... > and I am wondering what the _real_ security benefits are over > just opening port 80 on the firewall. So the structure looks like this? Internet -> Squid [DMZ] -> firewall -> web server > So, given an up-to-date, fully patched server that is maintained that > way, I am not sure how having the squid proxy is of any huge value. ... > I do fully understand the idea of an exploit allowing an attacker to > execute code as root on a compromisable server, but isn't this just > as dangerous on the Squid box? Consider the attack vectors against this setup: Internet -> firewall -> web server Presumably if your firewall is doing its job, the only means of access to the web server is port 80. So any successful attack depends on data being sent over port 80. In the setup with just a firewall, there is nothing but Apache on the web server examining the content of the data on port 80. This means any flaws in Apache, like exploitable buffer overruns, can be taken advantage of. > And how does a Squid proxy prevent one from doing that on the internal > box, anyhow? The general idea is that any proxy will sanitize the protocol, so the target server never sees things that might trigger an exploit. Because the proxy has a simpler job and design, it itself is less likely to have the same exploitable flaws as the server it is protecting. Of course any real proxy might suffer from flaws of its own, or the target server might have flaws that can be exploited while sending perfectly valid data that complies with the protocol. Personally, I'd rather do away with the overhead of a proxy (unless it is needed for the other benefits it provides) and have the web server in the DMZ, with indirect links to any resources needed behind the firewall. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |