[squid-users] RV: squid
Amos Jeffries
squid3 at treenet.co.nz
Fri Jun 16 12:59:51 UTC 2017
On 16/06/17 23:57, javier perez wrote:
> They could open just a range of 5 dinamic ports and monitor them
> intensively...
I take it by "they" you mean the passive attacker? the server may open
any of (2^N) * (2^15) ports, where N is the number of IPs assigned to
the server both IPv4 and IPv6. A range of 5 has very miniscule
probability of success.
My point was that "for security" is bogus. In the end neither mode is
actually "secure" because the CTRL channel leaks like a seive.
The reasons for choosing one over the other are solely about whether
your network design and that of all networks your clients traffic goes
through allow that mode to work properly. NAT and similar things
existing all over the place nowdays invariably means passive mode is the
only way to get working FTP connections, so even lazyness is
self-inflicted pain.
>
>> Hello Matus,
>>
>> You are right, the thing is that our clients are not going to open any
>> other port than 20 and 21 for security meassures (or lazyness).
> FYI: The "for security" argument is bogus because;
>
> a) allowing any random client to determine their own arbitrary port
> number(s) is strictly worse for security than having your control point
> (Squid) select the port, and
>
> b) limiting that client-selected port to 20/21 makes the data between client
> and Squid go over a port which is more easily predicted and therefore
> interceptable by passive attack.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list