> On Thu, 2008-11-06 at 14:52 +0000, David Hurcomb wrote: >> Hello, >> >> I am running Squid on a Linux box which is also hosting a customer >> database (Oracle). >> >> I am concerned that by having the Proxy server on the same box as the >> database that I am introducing an increased security risk. >> >> e.g. an exploit in squid might mean that a hacker is able to gain access >> to my customer database. >> >> Assuming that my network is locked down so that the (external router) >> firewall has blocked all WAN->LAN traffic to our network on all ports am >> I correct in assuming that.... >> >> The only weakness is from an security exploit to squid being initiated >> from inside our network. >> >> The network user might potentially be duped to go to a boobytrapped web >> page which has the potential to exploit a security weakness in squid >> itself. >> >> Thanks in advance for your answers, I would like to be able to sleep >> soundly that my proxy server is not a security risk to my data. > > You did not ask any questions. In general, you are correct that adding > applications to a server increases your security risks. Hopefully, the > benefits of those applications outweigh the risks. > > In Squid's case, you can (and should) mitigate some of the risks by > running Squid using a non-privileged user account which is different > from the database user account. If Squid is compromised and Linux is > not, you may lose connectivity but not the database. > There is a list of advisories against certain older Squid releases. http://www.squid-cache.org/Advisories/ In the end it comes down to, use the latest Squid available (2.7.STABLE5 or 3.0.STABLE10) and be careful with the access controls you configure. If you are in a security critical situation, stay away from transparent interception. There are complicated but possible avenues for abusing transparent proxies for web access (but none known that would affect non-web software without a badly insecure config). Amos
