# squid proxy firewall

## gustavolinux

folks, is the Squid a proxy firewall (or application layer firewall)??

wikipedia says:

Third generation - application layer

... application layer firewall, also known as a proxy-based firewall...

The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in a known harmful way...

thanx

----------

## massimo

 *gustavolinux wrote:*   

> 
> 
> wikipedia says:
> 
> Third generation - application layer
> ...

 

Do you have a link?

----------

## gustavolinux

hi there.. just go to en.wikipedia.org and type Firewall

thanx

----------

## massimo

Oh, I thought you referred to a wiki entry regarding Squid. Well, Squid can filter certain traffic at the application layer (e.g., http(s) but rather limited), hence you are able to parse the content and react depending on different things. One could call Squid an application layer proxy :)

----------

## gustavolinux

ok... let's say "lato sensu" firewall... because in other forums people said "in any way squid is a firewall"... well e=mc2...

thanx

----------

## massimo

Well, in other forums people would be not so pleased hearing that a piece of software like Squid is a firewall...

 *Quote:*   

> 
> 
> well e=mc2
> 
> 

 

Personally, I doubt that (from a philosophical point of view).

You're welcome.

----------

## think4urs11

depends on how a person defines the term 'firewall'.

Lastely a firewall is a 'thing' which is able to control the dataflow between a and b in one way or the other. Some firewalls (like squid, frox, etc.) understand highlevel protocols like http/ftp/..., others like iptables understand only lowerlevel protocols like udp/tcp and even more simple ones just know ARP (with that definition a bridge is also a firewall, a very simple one though but still ..)

The rest (means the different names like access control lists, stateful/stateless packetfilter, application level firewall, 'application intelligence' etc.) are partly pure marketing and partly to differ between those capabilities.

----------

## gustavolinux

nice answer... indeed, a firewall can be seen as a way to implement a security policy...

the rest is just subjective conventions....

[ ]'s

----------

## massimo

 *Think4UrS11 wrote:*   

> depends on how a person defines the term 'firewall'.
> 
> Lastely a firewall is a 'thing' which is able to control the dataflow between a and b in one way or the other.
> 
> 

 

IMHO it's a little bit more than just a 'thing' - a box running iptables is a 'thing' but is far away from being a firewall.

 *Think4UrS11 wrote:*   

> 
> 
> Some firewalls (like squid, frox, etc.) understand highlevel protocols like http/ftp/..., others like iptables understand only lowerlevel protocols like udp/tcp and even more simple ones just know ARP (with that definition a bridge is also a firewall, a very simple one though but still ..)
> 
> 

 

Again, IMHO the things you mention here can be at best part of a firewall... I'd call them filters and not firewalls.

 *Think4UrS11 wrote:*   

> 
> 
> The rest (means the different names like access control lists, stateful/stateless packetfilter, application level firewall, 'application intelligence' etc.) are partly pure marketing and partly to differ between those capabilities.

 

I wouldn't say that at the Networkers or any other conference dealing with topics you lumped together ;)

gustavolinux gave a nice summary the way I would see the idea behind a firewall:

 *gustavolinux wrote:*   

> 
> 
> a firewall can be seen as a way to implement a security policy
> 
> 

 

----------

## think4urs11

 *massimo wrote:*   

> IMHO it's a little bit more than just a 'thing' - a box running iptables is a 'thing' but is far away from being a firewall.

 

Thats why i set it in quotes as a very broad general term; i know that definition of mine is very aggressive - by intention.

As said, the term firewall can be interpreted in different ways and all of them are more or less valid. Techies don't care too much about the correct wording but the technique.

 *massimo wrote:*   

> Again, IMHO the things you mention here can be at best part of a firewall... I'd call them filters and not firewalls.

 

Still a firewall also filters traffic in one way or the other - or the other way around any filter 'firewalls' between sender and recipient. Both describe the same; traffic will be controlled and restricted (sometimes even altered) between both ends of the data transfer.

 *massimo wrote:*   

> I wouldn't say that at the Networkers or any other conference dealing with topics you lumped together 

 

i do this all the time and i've enough technical background to not be laughed at imediately plus i've my asbestos underwear if some CCIE or better is my opponent  :Wink: 

 *massimo wrote:*   

> gustavolinux gave a nice summary the way I would see the idea behind a firewall: *gustavolinux wrote:*   a firewall can be seen as a way to implement a security policy 

 

A Firewall is just one single part of a security policy, which by itself is nothing to be 'pulled out of a box and put in the datacenter rack' but something which needs to be backed up with proper processes, needs to be 'lived' by all levels from data-typist/cleaning personal to high-level manager (usage policies etc.) and such. The firewall (no matter which technology/product(s) is/are used is just one technical detail within the policy.

----------

## massimo

 *Think4UrS11 wrote:*   

> The firewall (no matter which technology/product(s)<snip>

 

Well, that's the point I guess where our opinions of the meaning/idea behind of the term firewall diverge. For me it's more than a technology and/or product. You select technologies and/or products when it comes to implementing it. Designing a firewall (concept) you have to have more than just a few pieces of hardware with some software running on it - there has to be some organisational structure which provides proof for this concept.

----------

## think4urs11

 *massimo wrote:*   

>  *Think4UrS11 wrote:*   The firewall (no matter which technology/product(s)<snip> 
> 
> Well, that's the point I guess where our opinions of the meaning/idea behind of the term firewall diverge.

 

Actually we're sharing the same opinion; just the wording differs. As said to me 'the firewall' (as most people understand it) is just one technical part (consisting of one or more 'boxes of hard/software') of the complete security policy/framework - for you it is  part of an org. structure (obviousely the technical part) - not really that much difference.

Or to give a more real-life example:

A security concept/policy consists of

- packet filters (the classical 'firewall box')

- routing protocols+filters / structured network

- proxies for http/https/ftp/dns/... (the 'application level firewalls' if one likes that wording)

- NAT/PAT

- VPN gateways

- seperation of internal/external DNS

- no direct access for internal machines to internet boxes (unless really not possible without and only heavily restricted etc.)

- no access for internet exposed machines (outer DMZ) to internal machines

- usage policy for both admins and users (you shall not watch porn, you shall not delete user documents, you can not inspect logfiles without approval, etc.)

- access rules on filesystem/folder level

- access rules for individual workstation/server systems (login, console access, etc.)

- access rules on identy store level (GPOs and OU structures within AD)

- admin rights to workstations only where really needed (weird windows software, helpdesk personel, ...)

- internal update servers (no direct pulling from windowsupdate and such)

- delegation of admin rights to differing people (no 'super-admin' for anything)

- no 'hidden' modem dial-outs, no Host2Host-WLan, no GPRS-links when connected to internal LAN, ...

- AV-Software on _all_ levels; workstations, servers, proxies, Malware-Checking, ...

- IPS/IDS-Systems

- ....

----------

