Re: Stupid Question - Proxy Internals
On Wed, 2002-03-06 at 16:21, Josh Frick wrote:
> I've just added a Dante/Squid proxy to my network, and I'd like to know
> if this is significantly more secure than packet filtering.
You can view the separate services as:
packet filtering = IP layer filtering.
masquerading = IP layer NAT. (okay, a subset)
squid proxy = application layer filtering. (and HTTP cache, and ...)
socks = application layer NAT.
They are completely different beasts and complement each other. One is
not "more secure" than the other -- they offer completely different
services.
> I can't
> seem to get a straight answer from online documentation for Socks, and
> I know Squid is not inherently secure, but I have a fairly
> straight-forward question:
> Do Socks4/5 and/or Squid actually prevent packets with inappropriate
> protocols from being passed on to the client (i.e. telnet to port 80)?
No and yes.
Socks doesn't analyze packet contents.
Squid does, but telnet to port 80 is not inappropriate, and just
establishes a TCP/IP connection. If you want to block people connecting
to a potential telnet _server_ on port 80, then yes, squid will block
it. Read the config file to learn more, as by default it allows more
than just HTTP (like FTP).
> If not, what does?
Socks allows just about any generic protocol through, so it will be hard
to block anything. I know, for example, that socks allows SSH, which is
entirely encrypted.
Squid should definitely be able to block anything that is not a HTTP
GET/POST request, which is what I assume you want to do. But you should
really test that, and test it for your current configuration.
Be careful: there are ways to tunnel telnet over HTTP, which were
specifically written to get around proxies.
>
> Sincerely,
>
> Josh Frick
--
Berend De Schouwer
Reply to: