Re: [squid-users] How squid does Src/Dst IP address matching

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 25 Mar 2008 14:07:09 +1300

Adrian Chadd wrote:
> On Mon, Mar 24, 2008, Saurabh Agarwal wrote:
>> I understand the security concern, but if squid is accessed by Users
>> only within the company and company's intranet is secure enough, then it
>> is an overkill as DNS is performed twice(Squid being used in transparent
>> mode), once by the browser and then second time by the Squid.
>>
>> Shouldn't we have this as configurable through squid.conf file, though
>> with the disclaimer you wrote earlier. This looks like a good feature to
>> have.
>>
>> Like: Disble DNS lookups by Squid, instead use the DST IP address in the
>> intercepted HTTP requested.
>> #disable_dns_lookup, hence use Dst IP from the packet
>
> Thats not a bad idea, but the possibility is there to absolutely, positively
> blow away not only your clients' feet, but their legs, their torso, their
> car/bike, and potentially their neighbours' pet. Its very dangerous.
>
> I'll commit a patch if someone submits one. It has to have a very, very
> large warning and it also needs to log something in cache.log to explain
> why enabling the option is 100% dangerous.
>
> Please realise that its not only comprimised hosts, its also malicious users.
>

Even larger than that.
All the below come in two variants: compromised OR malicious.

INTERNAL:
  - hosts
  - DNS
  - users
  - unintended intruders

EXTERNAL:
  - DNS
  - routers

It's those external threats that you really have no control over and can
  turn the web proxy into an effective borg of the entire internal network.

No matter how secure you think the internal network is. If you are
willing to entertain the idea of doing this you have a serious security
breach already in effect.

Also, zero-day vectors for the external attacks (a trojan and
DNS-poisoner) already exist.

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Mar 25 2008 - 04:51:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT