On Mon, 24 Jan 2000, Tim Sailer wrote:
TS} OK, here is a question about perimeter defense... If I put a hardened *nix
TS} (unix/freebsd/linux/whatever) in the perimeter, and put squid on it to
TS} proxy all outbound web traffic, besides the tunneled java, etc, is there
TS} any major security risk? It will be a dual connected host, 1 NIC inside and
TS} 1 outside.
I am currently using this approach. I do have ICP, HTTP, HTTPS, and FTP
restricted to the internal interface. The perimeter Squid server is not
used, directly, by internal users. They use internal Squid proxies in
each building that have the perimeter Squid defined as a parent.
The key reason for this approach is that we use a split-DNS configuration.
The perimeter system hosting the Squid server is, also, the external name
server and has no knowledge of internal systems.
Merton Campbell Crockett
+--------------------------------------------------------------------------+
| Manager, Network Operations & Services | Chief Network/Security Engineer |
| General Dynamics Electronic Systems | Naval Surface Warfare Center |
| Intelligence Systems Organization | Port Hueneme Division |
| Thousand Oaks, CA | Port Hueneme, CA |
+--------------------------------------------------------------------------+
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
