security & squid proxy...
dsr at tao.merseine.nu
dsr at tao.merseine.nu
Tue Aug 8 08:48:13 EDT 2006
On Tue, Aug 08, 2006 at 07:22:44AM -0400, Grant M. wrote:
> So, given an up-to-date, fully patched server that is maintained that
> way, I am not sure how having the squid proxy is of any huge value. Is
> this just a 'feel-good' security measure? I do fully understand the idea
> of an exploit allowing an attacker to execute code as root on a
> compromisable server, but isn't this just as dangerous on the Squid box?
> And how does a Squid proxy prevent one from doing that on the internal
> box, anyhow?
Here are the useful security attributes of squid:
- cached URLs are served directly from squid, so repeat requests
don't interact with the server at all. This can alleviate some
DOS attacks.
- ACLs and filters can be applied. This can exclude known bad
guys, or restrict requested URLs to just those that fit a
particular regex.
- delay pools can limit bandwidth either for particular servers
or clients.
Except for the first feature, you need to explicitly configure
and regularly maintain a squid cache to keep getting security
benefits from it.
-dsr-
--
-. --- -- --- .-. . ... . -.-. .-. . - ...
..-. ..- -.-. -.- - .... . -. ... .-
..-. ..- -.-. -. .-. -.. - .... ... ..- -.- -. .-- -.-. -..
More information about the Discuss
mailing list