mailing list archives
Re: Question about dmz security
From: Chuck Swiger <cswiger () mac com>
Date: Tue, 18 Feb 2003 13:23:56 -0500
mlh () zip com au wrote:
After removing access to the internal lan of course,
moving it to properly within the dmz.
We agree about removing the second NIC to the LAN.
[ ...reordered... ]
> On Sat, Feb 15, 2003 at 01:11:27PM -0500, Chuck Swiger wrote:
However, better configurations may also be possible: in particular,
if your users can use scp (sftp, rsync, etc) to access the FTP
server. Authenticated access should be encrypted if possible.
> Easier for the admin and the users would be to put squid
> on the box, and have it proxy ftp.
I run squid, and I like it for what it does: however, I don't run squid
to improve security. Besides, now we've switched from FTP's plaintext
authentication to base64 (HTTP's auth/basic), which doesn't get you very
far. That's if the admin sets up authentication, and the users use it;
mis-configured (or simply open) proxies tend to open all sorts of
potentially abusable holes.
Sure, I guess you could get SSL going for squid to make authenticating
with the proxy unsniffable, but then you could set up apache+SSL and use
WebDAV as a publishing mechanism. MS-Office apparently can do DAV, so
your users are covered.
Frankly, "scp -r" or "rsync -a" is much easier. Use the right tool for
the job, I say: "rsync" rocks for this type of task.