Re: Question about dmz security

[Chuck Swiger <cswiger () mac com>]

mlh () zip com au wrote:
> After removing access to the internal lan of course,
> moving it to properly within the dmz.

We agree about removing the second NIC to the LAN.

[ ...reordered... ]
> On Sat, Feb 15, 2003 at 01:11:27PM -0500, Chuck Swiger wrote:
> > However, better configurations may also be possible: in particular,
> > if your users can use scp (sftp, rsync, etc) to access the FTP
> > server. Authenticated access should be encrypted if possible.
>
> Easier for the admin and the users would be to put squid
> on the box, and have it proxy ftp.

I run squid, and I like it for what it does: however, I don't run squid 
to improve security.  Besides, now we've switched from FTP's plaintext 
authentication to base64 (HTTP's auth/basic), which doesn't get you very 
far.  That's if the admin sets up authentication, and the users use it; 
mis-configured (or simply open) proxies tend to open all sorts of 
potentially abusable holes.

Sure, I guess you could get SSL going for squid to make authenticating 
with the proxy unsniffable, but then you could set up apache+SSL and use 
WebDAV as a publishing mechanism.  MS-Office apparently can do DAV, so 
your users are covered.

Frankly, "scp -r" or "rsync -a" is much easier.  Use the right tool for 
the job, I say: "rsync" rocks for this type of task.

-Chuck