[3510] in WWW Security List Archive
Re: where to put cacheing proxy?
daemon@ATHENA.MIT.EDU (Damien Miller)
Mon Nov 11 04:12:37 1996
Date: Mon, 11 Nov 1996 17:30:51 +1100 (EST)
From: Damien Miller <dmiller@vitnet.com.sg>
To: elroy <elroy@kcsun3.kcstar.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.961108181314.7326B-100000@kcsun3.kcstar.com>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 8 Nov 1996, elroy wrote:
> Hi all -
>
> I'm considering putting a cacheing proxy server into play for the benefit
> of my company's internal users. They are behind a firewall.
>
> I have some questions:
>
> 1) Where does the proxy go? In the DMZ, behind the firewall, or ON the
> firewall. I'd rather not put it ON the firewall.
In the DMZ. If you put it behind the firewall it might concievably be used
as a door to your trusted network.
A malicious hacker might find (for example) a buffer overrun exploit for
your cache, s/he could concievably use the cache host to lauch attacks on
your trusted network. S/he could also gather info on you internal net and
covert-channel the data out in URLs (recoverable with a CGI) or in bogus
DNS lookups (recoverable with a hacked named).
> 2) If I put it in the DMZ, how do I tell http-gw to use the proxy rather
> than make the network connections itself. I'm confused mainly on the
> syntax for http-gw in the netperm-table file. (I think)
see (3). Otherwise, if you use TIS Gauntlet then I believe that there is a
'proxy' command line directive, if you are using the FWTK then I believe
you are out of luck (haven't looked at the latest version though).
> 3) I suppose I could make an end-run around http-gw altogether and use
> plug-gw in it's place. Is this a Bad Idea (TM) ?
No, plug-gw is a Good Idea here. If you use http-gw you are proxying
the data twice. I think that http-gw does a bit of caching, it certainly
attempts to rewrite ftp directories (and does a crap job at it, IMHO).
> Any help or advice is appreciated, or pointers to on-line documentation.
To further secure the cache host in the DMZ, disable (from inetd.conf
and/or netperm-table) all unnecessary services. Block connections to all
ports on this host both at your router and (if possible) in the kernel.
Open up only the ports that you need.
Disable remote root logins. Better yet, disable all remote logins.
If you do need to login remotely, use SSLtelnet to make sure that your
passwords don't get sniffed. I have heard others rave about a similar
system known as SSH, but I haven't tried it. You can get to SSLtelnet and
the SSLeay library (which it requires) via:
http://www.psy.uq.oz.au/~ftp/Crypto
If you haven't already, check out the 'squid' caching software - it is
very fast and comes with CGI administration software. You might want to
block ICP (Internet Cache Protocol), its security status is yet to be
resolved. You can get info on squid at: http://squid.nlanr.net/Squid/
Hope that this helps,
Damien
| Damien Miller -
| Email: dmiller@vitnet.com.sg (PGP and MIME ok)
| WWW: http://www.vitnet.com.sg/dmiller
| PGP public key: send me an email with "send file pgp_key" as the subject
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBMobIF7rHgZ2SMrItAQGcgwgAnvTLuukBgzasPIxXlqr3YGjhvmIQf4/i
iSTjiL6+qZ/lOFdRFf4mdjD7TGKuztyIXx9rKzGqFY0uFsW0i36CWe8IMJLCA8tm
qIEdVDmQO8iRSNWAeL01yu9EjZH+TJ31iz63F39t4xCYSvBsG3NBjdvgTkuvao3l
sWVdUCAE79kqWSOP66QLTFJ3NlQtr9Vbhl2qRvltDuwVCN8PYckARxVSQl3sCf4W
i1wLjbDgDPNh8gm2/d9ryxI+QhvC33iud1ZwWzEs2s3w2aENvI0lNIsIKNiW9tGT
U12A7MPDvdSI+jjQRjw7ka++9FY8k3HPp3B6YTZ9bX6UKY4s+MbHTw==
=OKew
-----END PGP SIGNATURE-----
