security & squid proxy...
blu at vl.com
Tue Aug 8 12:40:47 EDT 2006
Grant M. wrote:
> I just finished setting up another Squid reverse-proxy...
> and I am wondering what the _real_ security benefits are over
> just opening port 80 on the firewall.
So the structure looks like this?
Internet -> Squid [DMZ] -> firewall -> web server
> So, given an up-to-date, fully patched server that is maintained that
> way, I am not sure how having the squid proxy is of any huge value.
> I do fully understand the idea of an exploit allowing an attacker to
> execute code as root on a compromisable server, but isn't this just
> as dangerous on the Squid box?
Consider the attack vectors against this setup:
Internet -> firewall -> web server
Presumably if your firewall is doing its job, the only means of access
to the web server is port 80. So any successful attack depends on data
being sent over port 80.
In the setup with just a firewall, there is nothing but Apache on the
web server examining the content of the data on port 80. This means any
flaws in Apache, like exploitable buffer overruns, can be taken
> And how does a Squid proxy prevent one from doing that on the internal
> box, anyhow?
The general idea is that any proxy will sanitize the protocol, so the
target server never sees things that might trigger an exploit. Because
the proxy has a simpler job and design, it itself is less likely to have
the same exploitable flaws as the server it is protecting.
Of course any real proxy might suffer from flaws of its own, or the
target server might have flaws that can be exploited while sending
perfectly valid data that complies with the protocol.
Personally, I'd rather do away with the overhead of a proxy (unless it
is needed for the other benefits it provides) and have the web server in
the DMZ, with indirect links to any resources needed behind the firewall.
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
More information about the Discuss