Home page logo

basics logo Security Basics mailing list archives

Re: Question about dmz security
From: Chuck Swiger <cswiger () mac com>
Date: Tue, 18 Feb 2003 13:23:56 -0500

mlh () zip com au wrote:
After removing access to the internal lan of course,
moving it to properly within the dmz.

We agree about removing the second NIC to the LAN.

[ ...reordered... ]
> On Sat, Feb 15, 2003 at 01:11:27PM -0500, Chuck Swiger wrote:
However, better configurations may also be possible: in particular,
if your users can use scp (sftp, rsync, etc) to access the FTP
server. Authenticated access should be encrypted if possible.
> Easier for the admin and the users would be to put squid
> on the box, and have it proxy ftp.

I run squid, and I like it for what it does: however, I don't run squid to improve security. Besides, now we've switched from FTP's plaintext authentication to base64 (HTTP's auth/basic), which doesn't get you very far. That's if the admin sets up authentication, and the users use it; mis-configured (or simply open) proxies tend to open all sorts of potentially abusable holes.

Sure, I guess you could get SSL going for squid to make authenticating with the proxy unsniffable, but then you could set up apache+SSL and use WebDAV as a publishing mechanism. MS-Office apparently can do DAV, so your users are covered.

Frankly, "scp -r" or "rsync -a" is much easier. Use the right tool for the job, I say: "rsync" rocks for this type of task.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]