[squid-users] Using proxy authentication to detect/protect from malicious software?

From: Marco Stolpe <[email protected]>
Date: Fri, 12 Sep 2003 14:33:55 +0200

Hello,

besides caching and filtering, another idea which came to my mind to use
a proxy for is security. I'm planning to use squid for my home network
as well as for a network I'm administering at my university. Both
networks have Windows clients and a firewall based on OpenBSD.

The firewall configuration allows users to access web servers at port
80, smtp traffic and pop3. I've chosen such a restrictive policy to
prevent malicious software to spread across the internet, in case anyone
should ever open an email attachment containing a trojan horse/virus -
whatever. This configuration has two problems:

- users can only connect to web servers using port 80, web servers on
non-standard ports aren't accessible

- malicious software like spyware still could use port 80 to tunnel
information through it (of course, it could also use the other ports,
but I might close those in the future)

A proxy could solve those problems. For example, I could use filtering
together with a white list of "trusted" URLs which are allowed to my
users. Any malicious software trying to connect to its home URL then
hopefully would fail to do so. But of course, keeping such a white list
up-to-date is tedious and not very user friendly.

When I read about squid's proxy authentication feature, at first I
thought that might be a better solution. IMHO, it has the disadvantage
that passwords are transmitted in the clear.

So my first question is if there exists any solution to encrypt those
passwords (maybe SSL, maybe anyone knows of another proxy supporting it?).

My second question is how proxy authentication maintains information
about a user's session. It's clear to me that even with a proxy,
malicious plug-ins or Active-X controls in a user's browser could
"circumvent" the proxy. That can't be prevented. But what about other,
stand-alone processes? For example, let's say the user was authenticated
successfully to the proxy. Now a malicious background process on the
same machine tries to access its home URL through the proxy. Will the
request pass or will it be blocked?

What I mean is: based on which credentials (per request) does the proxy
decide which traffic is allowed to pass through after it has
successfully authenticated a user?

Thanks in advance for any answers to my questions,

Marco
Received on Fri Sep 12 2003 - 06:31:40 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:41 MST