On Thu, 2008-11-06 at 14:52 +0000, David Hurcomb wrote: > Hello, > > I am running Squid on a Linux box which is also hosting a customer > database (Oracle). > > I am concerned that by having the Proxy server on the same box as the > database that I am introducing an increased security risk. > > e.g. an exploit in squid might mean that a hacker is able to gain access > to my customer database. > > Assuming that my network is locked down so that the (external router) > firewall has blocked all WAN->LAN traffic to our network on all ports am > I correct in assuming that.... > > The only weakness is from an security exploit to squid being initiated > from inside our network. > > The network user might potentially be duped to go to a boobytrapped web > page which has the potential to exploit a security weakness in squid itself. > > Thanks in advance for your answers, I would like to be able to sleep > soundly that my proxy server is not a security risk to my data. You did not ask any questions. In general, you are correct that adding applications to a server increases your security risks. Hopefully, the benefits of those applications outweigh the risks. In Squid's case, you can (and should) mitigate some of the risks by running Squid using a non-privileged user account which is different from the database user account. If Squid is compromised and Linux is not, you may lose connectivity but not the database. HTH, Alex.