[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Stupid Question - Proxy Internals

Berend De Schouwer wrote:


On Wed, 2002-03-06 at 16:21, Josh Frick wrote:
I've just added a Dante/Squid proxy to my network, and I'd like to know if this is significantly more secure than packet filtering. 



You can view the separate services as:

packet filtering = IP layer filtering.
masquerading = IP layer NAT.  (okay, a subset)
squid proxy = application layer filtering.  (and HTTP cache, and ...)
socks = application layer NAT.

They are completely different beasts and complement each other.  One is
not "more secure" than the other -- they offer completely different
services.
Thank you. That's what I had suspected. NAT is NAT, right? I'm trying to build a multi-layered approach. Currenlty it's two Coyote (IPchains) Firewalls in front of Squid/Socks. This does prevent direct connections to my clients, which I had assumed was more secure than otherwise, but I wasn't sure if that was meaningful. My clients and the Squid/Socks box are not reachable by the gateway. Only the choke, which will be reconfigured (by way of a crossover-cable) to be connected only to the Squid/Socks box. I just wanted to know if this was any better than simply adding a third IPchains box.
I can't seem to get a straight answer from online documentation for Socks, and I know Squid is not inherently secure, but I have a fairly straight-forward question:
Do Socks4/5 and/or Squid actually prevent packets with inappropriate protocols from being passed on to the client (i.e. telnet to port 80)? 



No and yes.

Socks doesn't analyze packet contents.

Squid does, but telnet to port 80 is not inappropriate, and just
establishes a TCP/IP connection.  If you want to block people connecting
to a potential telnet _server_ on port 80, then yes, squid will block
it.  Read the config file to learn more, as by default it allows more
than just HTTP (like FTP).
I do intend to fine-tune Squid. I just wasn't sure it could filter content based on protocol. 





   If not,  what does?



Socks allows just about any generic protocol through, so it will be hard
to block anything.  I know, for example, that socks allows SSH, which is
entirely encrypted.

Squid should definitely be able to block anything that is not a HTTP
GET/POST request, which is what I assume you want to do.  But you should
really test that, and test it for your current configuration.


Yes.  That's what I want.  Just HTTP/S.



Be careful: there are ways to tunnel telnet over HTTP, which were
specifically written to get around proxies.
So Squid and Socks do nothing to address this? Or does the tunneled telnet try to connect to the Socks/Squid box? (which does not have telnetd) 


  Sincerely,

  Josh Frick
Reply to: