Hi,
> Give me an example of some security measure which you
> can accomplish with squid but not with masquerading
> using iptables.
>
> If you can't, maybe you need to think first what exactly you are
> trying to accomplish. I hope you arent thinking "I do not exactly
> know why, but folks said it is more secure"? ;)
Ok, here are some reasons:
- you can have more simple firewall rules.
Don't underestimate, they are getting complex in bigger networks.
- you can block other programs like icq.
Only way of really blocking things like icq I can think of is
by changing dns resolution for these hosts. simply done on the proxy
server and not for the whole network.
- simple squid acls I already mentioned
- I trust squid/linux more than windows in any kind of network operation
> If you do need some filtering via squid, at least make it
> transparent and unavoidable for your users. Now you have to
> set up each user's IE to use squid, right? Nothing prevents
> them from reenabling direct access to Inet.
- you can prevent users from reenabling proxy settings easy
- proxy settings are delivered to the client by our novell server, no
need to do this by hand
- users are not allowed to go directly, this was just a test, but I
already mentioned that, sorry if that was not clear.
- authentication does not work with transparent proxy, we are currently
not using it, but will in the future
Raiiner
Received on Wed Feb 11 2004 - 21:25:30 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST