Re: Q: Using Squid on a firewall-Host?

From: Jonathan Larmour <JLarmour@dont-contact.us>
Date: Tue, 17 Dec 1996 14:44:44 +0000

At 12:39 17/12/96 GMT, John Saunders wrote:
>Anthony Baxter (arb@connect.com.au) wrote:
>>
>> >>> Frank Wegner wrote
>> > I have heard that people replaced their http-gw of the
>> > TIS-Firewall-Toolkit with squid. Is it sensible to use squid on a
>> > firewall machine as a proxy? Can I use squid to forward http and ftp
>> > requests both ways through the firewall it is running on?
>>
>> Wow. Thats an _awfully_ large application to be running on a
>> firewall.
>>
>> $ cd ~src/sbin/squid/squid-1.1.1 ; cat src/*.c | wc -l
>> 32843
>
>I wouldn't think size had anything to do with the matter. Unless, of
>course, you relate in-memory size to the number of security bugs.
>But most of Squid is data, the actual text size is mediocre, 260K
>with Squid 1.1.0 running on Linux.

With firewalls, assume the worst, because its probably the case.

>Possibly the most secure way would be to run squid on a machine on the
>outside of the firewall (no man's land). This machine, of course, would
>have to be expendable and hence have nothing interesting on it.

You can still put it behind a screening router, and use your normal UNIX
security principles, which will get rid of most of the ankle-biters.

>However, unless squid has a nasty bug that gets exercised when a nasty
>html doc is fetched, running it on the inside of the firewall is OK. I

What, like ActiveX? Probably the most insecure internet pseudo-standard
known to man.

>In summary, don't run Squid on the firewall unless you like risking
>your systems security. For a few extra http-gw processes, it's not
>worth having to explain to the boss how that hacker got into the
>company files.

You had the right idea above, i.e. just use a plug-gw to an outside squid.
For the confident and competent, you _can_ run it on your firewall, if a)
this fits with your security model (aka are you really that paranoid?), and
b) you follow the steps for chrooting it described in a different message of
mine. But there _are_ still disadvantages.

Ultimately, the best firewall is the "airgap" firewall, it just depends
_how_ secure you want to make it. By virtue of that fact people are letting
ActiveX through their firewall, they probably wouldn't mind running squid on
their firewall. If you _are_ concerned, you run http-gw with the appropriate
patches.

If you are worried about your boss, you tell him, this is what I can give
you, and if you want more, it will cost $xxxxxx more, and means not allowing
y and z through the firewall.

Single points of entry allow single points of control. Some people can argue
for the benefits of keeping your squid where you can see it, if you know
what I mean.

Jonathan L.
Origin UK,323 Cambridge Science Park,Cambridge,England. Tel: +44(1223)423355
------[ Do not think that every sad-eyed woman has loved and lost... ]------
----------------------[ she may have got him. -Anon ]-----------------------
Help fight spam! http://www.vix.com/spam These opinions are all my own fault
Received on Tue Dec 17 1996 - 07:26:25 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:54 MST