Berend De Schouwer wrote: >On Wed, 2002-03-06 at 16:21, Josh Frick wrote: > >>I've just added a Dante/Squid proxy to my network, and I'd like to know >>if this is significantly more secure than packet filtering. >> > >You can view the separate services as: > >packet filtering = IP layer filtering. >masquerading = IP layer NAT. (okay, a subset) >squid proxy = application layer filtering. (and HTTP cache, and ...) >socks = application layer NAT. > >They are completely different beasts and complement each other. One is >not "more secure" than the other -- they offer completely different >services. > Thank you. That's what I had suspected. NAT is NAT, right? I'm trying to build a multi-layered approach. Currenlty it's two Coyote (IPchains) Firewalls in front of Squid/Socks. This does prevent direct connections to my clients, which I had assumed was more secure than otherwise, but I wasn't sure if that was meaningful. My clients and the Squid/Socks box are not reachable by the gateway. Only the choke, which will be reconfigured (by way of a crossover-cable) to be connected only to the Squid/Socks box. I just wanted to know if this was any better than simply adding a third IPchains box.
>> I can't >>seem to get a straight answer from online documentation for Socks, and >>I know Squid is not inherently secure, but I have a fairly >>straight-forward question: >> >> Do Socks4/5 and/or Squid actually prevent packets with inappropriate >>protocols from being passed on to the client (i.e. telnet to port 80)? >> > >No and yes. > >Socks doesn't analyze packet contents. > >Squid does, but telnet to port 80 is not inappropriate, and just >establishes a TCP/IP connection. If you want to block people connecting >to a potential telnet _server_ on port 80, then yes, squid will block >it. Read the config file to learn more, as by default it allows more >than just HTTP (like FTP). > I do intend to fine-tune Squid. I just wasn't sure it could filter content based on protocol. > > >> If not, what does? >> > >Socks allows just about any generic protocol through, so it will be hard >to block anything. I know, for example, that socks allows SSH, which is >entirely encrypted. > >Squid should definitely be able to block anything that is not a HTTP >GET/POST request, which is what I assume you want to do. But you should >really test that, and test it for your current configuration. > Yes. That's what I want. Just HTTP/S. > >Be careful: there are ways to tunnel telnet over HTTP, which were >specifically written to get around proxies. > So Squid and Socks do nothing to address this? Or does the tunneled telnet try to connect to the Socks/Squid box? (which does not have telnetd) >> Sincerely, >> >> Josh Frick >> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
