Re: [squid-users] Security Concerns

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 06 Nov 2008 08:55:23 -0700

On Thu, 2008-11-06 at 14:52 +0000, David Hurcomb wrote:
> Hello,
>
> I am running Squid on a Linux box which is also hosting a customer
> database (Oracle).
>
> I am concerned that by having the Proxy server on the same box as the
> database that I am introducing an increased security risk.
>
> e.g. an exploit in squid might mean that a hacker is able to gain access
> to my customer database.
>
> Assuming that my network is locked down so that the (external router)
> firewall has blocked all WAN->LAN traffic to our network on all ports am
> I correct in assuming that....
>
> The only weakness is from an security exploit to squid being initiated
> from inside our network.
>
> The network user might potentially be duped to go to a boobytrapped web
> page which has the potential to exploit a security weakness in squid itself.
>
> Thanks in advance for your answers, I would like to be able to sleep
> soundly that my proxy server is not a security risk to my data.

You did not ask any questions. In general, you are correct that adding
applications to a server increases your security risks. Hopefully, the
benefits of those applications outweigh the risks.

In Squid's case, you can (and should) mitigate some of the risks by
running Squid using a non-privileged user account which is different
from the database user account. If Squid is compromised and Linux is
not, you may lose connectivity but not the database.

HTH,

Alex.
Received on Thu Nov 06 2008 - 15:56:50 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 07 2008 - 12:00:03 MST