[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Stupid Question - Proxy Internals

Josh Frick <JSFrick@bellatlantic.net> writes:

[snip]
>>Something to be aware of is that having two firewalls of the same flavour
>>will not buy you any more security. If a crack/exploit works on one then
>>it will work on the other. Try replacing one of them with another OS and
>>firewall solution.
>
> Eventually, I plan on replacing both Coyote boxes with IPtables-capable
> firewalls. (For statefull inspection). The choke will be Woody, I think,
> with SNORT, and the gateway will either be floppyfw or Devil Linux or a
> homebrew busybox. But they're still going to be i386 Linux. Hopefully, I
> can disable module support in both.

If you're going in for multiple layers of firewalling (why??) then what the
above says is that you shouldn't be using the same OS for each - the Linux
is the same whether you change distributions around or what. You're looking
at one of the BSDs as a relatively obvious choice when it's *variety* you
want.

>>Adding a third ipchains box will give you as much protection as adding a
>>piece of wire.
>
> This is unclear. In the context of your first statement, I guess you're
> saying it's just as easy to break into?

"Hey look, I just broke the first level of firewall!
 Oh wow, the second one is just the same...
 And blow me down with a gnat's fart, but the 3rd as well? Coo that was
 hard."

Last I checked, exploits didn't bother saying "uh oh, I'm only supported on
$DISTRO", they find instances of daemons with vulnerabilities, and wooie,
quicker than a greased leech going through a wormhole, they're in.

>>Where a proxy is extremely useful is being able to inspect (and correct
>>or reject) the data it receives before it gives it to the client machine.
>>That is you can plug a virus scanner into squid, remove active x, etc.
>
> How does it do so? By default? Or do I need to fine-tune squid.conf and
> danted.conf, or recompile both?

If somone has access to a port running Dante or Squid, then it doesn't
matter a jot whether they've gone through 1 firewall or 17 to get there,
they're in your face and they're playing with a service you're providing.

That's why you *must* secure the service as much as possible - set up
proper ACLs preferably with username & password authentication in both
dante and squid, keep them both uptodate, only allow connections from
inside going out, consider running both proxies within libsafe; you name
it, you need to secure the services *far* more than you need to provide
"firewalls" before you get there.

Of *course* you've got to play with squid.conf and danted.conf. Wear
asbestos gloves whilst reading the entirety of the config files *and*
corresponding manpages, so you can set everything the way it should be.

~Tim
-- 
<http://spodzone.org.uk/>
Reply to: