In recent versions (2.3 I believe) Squid has acl types for the
listening port & ip that the request was recieved on, as well as the
source ip of the request. There is no concept of LAT as such, just a
series of acl checks that every request must pass to be serviced.
Thus it is easy for existing users to turn on such a check by editing
their squid.conf.
Rob
----- Original Message -----
From: "David Litchfield" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 07, 2001 7:18 AM
Subject: Re: Loopback and multi-homed routing flaw in TCP/IP stack.
> > > >We believe there to be a serious security flaw in the TCP/IP
stack of
> > > >several Unix-like operating systems. Whilst being "known"
behavior on
> > > >technical mailing lists, we feel that the implications of this
> > > >"feature" are unexpected. Furthermore, not all platforms behave
in the
> > > >same way, which will obviously lead to invalid expectations.
> > >
>
> This affects Windows NT as well. I spoke of the exact same problem
back in
> the December of 1998
(http://www.securityfocus.com/vdb/bottom.html?vid=1692
> for the BID and
http://oliver.efri.hr/~crv/security/bugs/NT/msproxy3.html
> for the details) whereby we could get to the "clean" interface via the
> "dirty" interface on MS Proxy II and from there to the rest of the
> "protected" network. Mircosoft's response at that time was that this
> "feature" was part of the IP routing spec and as such they wouldn't do
> anything about it because it would break this spec.
>
> In terms of the threat posed by this "feature" in terms of proxy
servers,
> like MSP and Squid, this should be control at the application level.
For
> example, in MSP, you have a Local Address Table that specifies those
IP
> address that are _allowed_ to use the proxy services. The dirty
interface in
> not in the LAT so MSP should dump a request for proxy services if the
source
> IP address is that of the dirty interface. Why service a request from
an IP
> address if it is not in the LAT? Unfortunately to my knowledge this is
not
> the way things are done with MSP or Squid - so perhaps they should.
>
> Cheers,
> David Litchfield
> Director of Security Architecture
> @stake
> http://www.atstake.com/
>
