[EMAIL PROTECTED] wrote:
After removing access to the internal lan of course, moving it to properly within the dmz.
We agree about removing the second NIC to the LAN.
[ ...reordered... ] > On Sat, Feb 15, 2003 at 01:11:27PM -0500, Chuck Swiger wrote:
>However, better configurations may also be possible: in particular, if your users can use scp (sftp, rsync, etc) to access the FTP server. Authenticated access should be encrypted if possible.
> Easier for the admin and the users would be to put squid
> on the box, and have it proxy ftp.
I run squid, and I like it for what it does: however, I don't run squid to improve security. Besides, now we've switched from FTP's plaintext authentication to base64 (HTTP's auth/basic), which doesn't get you very far. That's if the admin sets up authentication, and the users use it; mis-configured (or simply open) proxies tend to open all sorts of potentially abusable holes.
Sure, I guess you could get SSL going for squid to make authenticating with the proxy unsniffable, but then you could set up apache+SSL and use WebDAV as a publishing mechanism. MS-Office apparently can do DAV, so your users are covered.
Frankly, "scp -r" or "rsync -a" is much easier. Use the right tool for the job, I say: "rsync" rocks for this type of task.
-Chuck
