Re: [squid-users] Transparent Proxy without being inline?

From: José J. Cintrón <jcintron@dont-contact.us>
Date: Tue, 22 Mar 2005 11:04:11 -0500

This is not what squid was designed for. Squid is a proxy, not an IDS
or sniffer or anything like that. What it does (and very well) is take
you connection requests and forward them based on your policy to the
remote server. If what you want is to know who is connecting to IIRC
your FW should be able to do that. You may also install a sniffer and
write appropriate filters to only capture the traffic that you are
interested in. If you want to be able to look at reports, maybe send
TCP RST, etc. go for Snort or something like it.

John Cole wrote:
> Howdy!
>
> I'm not as interested in blocking as I am in reporting. If I can do
> blocking as well, that's great.
>
> Here's the layout of what I'm trying to do:
>
> LAN --> Hub --> FW --> Internet
> |
> \-/
> box with Squid
>
> I've seen other products out there that do transparent interceptions like
> this. I believe they put the NIC's into promiscuous mode in order to see
> all of the traffic needed. (IIRC) They might have sent a TCP RST to the
> destination and then put a custom page back to the user when they accessed a
> prohibited page.
>
> Can Squid do this?
>
> Thanks,
> John
>
> -----Original Message-----
> From: Meidinger Chris [mailto:chris.meidinger@badenit.de]
> Sent: Tuesday, March 22, 2005 10:30 AM
> To: John Cole; squid-users@squid-cache.org
> Subject: RE: [squid-users] Transparent Proxy without being inline?
>
>
> Hi John,
>
> how would squid block things if they are not being routed over the proxy?
>
> Your sig says you are a security guy, so let's translate this into security
> terms:
>
> If you have two subnets, 10.1.0.0/24 and 10.2.0.0/24 and you want to avoid
> having anyone make an ssh connection from 10.1.0.10 to 10.2.0.10 you would
> probably use a firewall. If you connect the gateways from both subnets to a
> hub, and then put a firewall on that hub as well, can you think of any way
> to make the firewall stop that ssh connection?
>
> The only thing concievable would be to either teach squid to RST the
> connections to the browser if something needs to be blocked, or to arpspoof
> the firewall's mac to trick packets into traversing the squid box first.
>
> Now, returning to reality, you could have the packets traverse the fireall
> twice, like so:
>
> host --> switch --> hub --> firewall --> squid --> firewall --> internet
>
> you would need :
>
> # iptables -A FORWARD -p TCP --dport 80 -s $SQUID_PROXY -d \!$INSIDE_NET -j
> ACCEPT # iptables -A FORWARD -p TCP --dport 80 -s $INSIDE_NET -d
> $SQUID_PROXY -j ACCEPT
> # iptables -t nat -A PREROUTING -s $INSIDE_NET -d \!$INSIDE_NET -p TCP
> --dport 80 -j DNAT --to-destination $SQUID_PROXY
>
> tack -m state --state NEW,ESTABLISHED,RELATED onto the first two, and you're
> set. (If squid is on the $INSIDE_NET, you will obviously have to allow for
> that as well.)
>
> Greetings, Chris
>
> PS: this is obviously not a use for squid in transparent mode!! You only
> bridge squid when you want it to invisibly sit between the lan and the
> outside!!
>
>
>>-----Original Message-----
>>From: John Cole [mailto:jcole@filink.com]
>>Sent: Tuesday, March 22, 2005 4:03 PM
>>To: squid-users@squid-cache.org
>>Subject: [squid-users] Transparent Proxy without being inline?
>>
>>Howdy all!
>>
>>I've been looking but having found the answer yet.
>>
>>Is it possible to run SQUID in transparent mode but not be
>>inline? For
>>example, I have a box between the LAN and the FW but it is in
>>a hub and the
>>NIC is in promiscuous mode. Can SQUID do caching and/or
>>blocking and/or
>>reporting in this setup?
>>
>>Thanks,
>>John Cole, TICSA
>>Security Engineer
>>FiLink
>>770-420-1546 x102
>>1-866-534-5465
>>jcole@filink.com
>>
>>This email and any files transmitted with it are solely
>>intended for the use of the
>>addressee(s) and may contain information that is confidential
>>and privileged. If
>>you receive this email in error, please advise us by return
>>email immediately.
>>Please also disregard the contents of the email, delete it
>>and destroy any copies
>>immediately.
>>
>
>
> This email and any files transmitted with it are solely intended for the use of the
> addressee(s) and may contain information that is confidential and privileged. If
> you receive this email in error, please advise us by return email immediately.
> Please also disregard the contents of the email, delete it and destroy any copies
> immediately.
>

-- 
+------------------------------------------
| José J. Cintrón - <jcintron@mitre.org>
+------------------------------------------
Received on Tue Mar 22 2005 - 09:04:15 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST