Internet security question

Posted on 1999-08-03
Medium Priority
Last Modified: 2010-03-18
Im busy setting up a simple proxy server on my network as follows : the linux server has two network cards, one with a real IP address connected to the internet, the other with my 10.1... address on my internal network. Im running squid on this machine to enable my users to surf the web. My question is : How safe is my internal users from attacks from the internet ? Is it necessary for me to install firewalling software as well ? There is obviously no route between the two NICs except if someone could telnet into the box...  Welldocumented(referenced) answer will receive the points :)
Question by:johand
  • 3

Expert Comment

ID: 1585992
In that setup, the proxy machine would be the target of attacks.  As you say, if your proxy is compromised, that opens your entire local network to attack.  So long as your proxy is secure, no one will be able to initiate connections into your local network.

In order to properly lock down your proxy server, however, you'll probably end up using firewall-type restrictions anyway.  It might make more sense to give your local network more access to the internet using masquerading, and go ahead and call your proxy server a firewall.

Author Comment

ID: 1585993
" It might make more sense to give your local network more access to the internet using masquerading, and go ahead and call your proxy server a firewall." If you suggest this as a better option, could you be more specific as to how to go about it, where to find information, what packages to use etc...


Expert Comment

ID: 1585994
For the current version of RedHat, at least, the ipchains package will allow you to set up IP Masquerading as well as forwarding and firewalling rules.

Accepted Solution

xpash earned 600 total points
ID: 1585995
Good solution to this problem is to masquerad your internal
network so no one will be able to know that there exists an
internal network...
use ipfwadm-wrapper ipchaining...

Expert Comment

ID: 1585996
ipfwadm is the old way to do it...  *shrug*  ipchains is the currently accepted way...

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Through the video, you can check the migration process of Outlook PST file to PDF. Kernel for Outlook to PDF tool can convert Outlook emails with all attributes like Subject, To, From, Cc, Bcc and other folders such as Inbox, Outbox, Sent Items, Jun…
Suggested Courses

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question