Adrian Chadd wrote:
On Mon, Mar 24, 2008, Saurabh Agarwal wrote:
I understand the security concern, but if squid is accessed by Users
only within the company and company's intranet is secure enough, then it
is an overkill as DNS is performed twice(Squid being used in transparent
mode), once by the browser and then second time by the Squid.
Shouldn't we have this as configurable through squid.conf file, though
with the disclaimer you wrote earlier. This looks like a good feature to
have.
Like: Disble DNS lookups by Squid, instead use the DST IP address in the
intercepted HTTP requested.
#disable_dns_lookup, hence use Dst IP from the packet
Thats not a bad idea, but the possibility is there to absolutely, positively
blow away not only your clients' feet, but their legs, their torso, their
car/bike, and potentially their neighbours' pet. Its very dangerous.
I'll commit a patch if someone submits one. It has to have a very, very
large warning and it also needs to log something in cache.log to explain
why enabling the option is 100% dangerous.
Please realise that its not only comprimised hosts, its also malicious users.
Even larger than that.
All the below come in two variants: compromised OR malicious.
INTERNAL:
- hosts
- DNS
- users
- unintended intruders
EXTERNAL:
- DNS
- routers
It's those external threats that you really have no control over and can
turn the web proxy into an effective borg of the entire internal network.
No matter how secure you think the internal network is. If you are
willing to entertain the idea of doing this you have a serious security
breach already in effect.
Also, zero-day vectors for the external attacks (a trojan and
DNS-poisoner) already exist.
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
