On Wed, 2002-03-06 at 16:21, Josh Frick wrote: > I've just added a Dante/Squid proxy to my network, and I'd like to know > if this is significantly more secure than packet filtering.
You can view the separate services as: packet filtering = IP layer filtering. masquerading = IP layer NAT. (okay, a subset) squid proxy = application layer filtering. (and HTTP cache, and ...) socks = application layer NAT. They are completely different beasts and complement each other. One is not "more secure" than the other -- they offer completely different services. > I can't > seem to get a straight answer from online documentation for Socks, and > I know Squid is not inherently secure, but I have a fairly > straight-forward question: > Do Socks4/5 and/or Squid actually prevent packets with inappropriate > protocols from being passed on to the client (i.e. telnet to port 80)? No and yes. Socks doesn't analyze packet contents. Squid does, but telnet to port 80 is not inappropriate, and just establishes a TCP/IP connection. If you want to block people connecting to a potential telnet _server_ on port 80, then yes, squid will block it. Read the config file to learn more, as by default it allows more than just HTTP (like FTP). > If not, what does? Socks allows just about any generic protocol through, so it will be hard to block anything. I know, for example, that socks allows SSH, which is entirely encrypted. Squid should definitely be able to block anything that is not a HTTP GET/POST request, which is what I assume you want to do. But you should really test that, and test it for your current configuration. Be careful: there are ways to tunnel telnet over HTTP, which were specifically written to get around proxies. > > Sincerely, > > Josh Frick -- Berend De Schouwer
