You are on page 1of 15

Interested in learning

more about security?

SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Security considerations with Squid proxy server
Securing and controlling workstation access to the web has never been an easy task for security professionals.
Firewalls and access control list on routers alone may not bring an acceptable level of security for your
organization. Even if their primary role is to reduce network traffic and improve performance, HTTP proxy
servers (also called cache servers) are likely to be installed as an additional security layer and as a web
surfing monitoring system. Having secure proxy servers is critical because many users depend ...

Copyright SANS Institute
Author Retains Full Rights

As part of the Information Security Reading Room. Option 1 03 By: Eric Galarneau 20 April 2. . 2003 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2003. ts igh ll r Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 fu ins eta rr Security considerations with Squid proxy server ho ut GIAC Security Essentials Certification Practical Assignment .4b.A Version 1. Author retains full rights.

Thus. other security measures in te place would be totally wasted. HTTP proxy servers (also called cache servers) are likely to be installed as an additional security layer and as a web surfing monitoring system. The importance of a secure restricted room in this tu case is even more critical because firewalls are likely to trust proxy servers for some ports and protocols. Attacks are often performed through unused running services. Having secure proxy servers is critical because many users depend on it for their work. These guidelines are a good starting points for the creation of a server Key fingerprint installation = AF19 FA27 2F94policy: 998D FDB5 DE3D F8B5 06E4 A169 4E46 http://www. Abstract Securing and controlling workstation access to the web has never been an easy task for security violate. CERT provides very useful guidelines on how to secure your UNIX system. Firewalls and access control list on routers alone may not bring an acceptable level of security for your organization. This vulnerability allows 20 someone with malicious intent to damage. alternative products such as open source software are often considered. When installing most UNIX operating system. sti In Squid is designed to run on a UNIX type system.A prevent people using other services to access the outside world without going through the proxy service. many unwanted services are likely to be installed by default. Software configuration parameters and an overview of logging and content filtering software will also be eta approached. NS Get rid of any services that would not be used since vulnerabilities in other SA services may give potential access to your system. If your organization does not have such policy. Several proxy ts server products are available nowadays. The main reason for installing Squid on a dedicated server is to . The most popular and widely used proxy server in this category is ll r Key fingerprintSquid. For example. If your proxy server is easily accessible to anyone. As part of the Information Security Reading Room. steal and falsify the information flowing through your proxy server. indisputably = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 fu This paper will cover various security aspects and recommendations to improve ins Squid’s overall security during its installation time. Even if their primary role is to reduce network traffic and improve performance. it 03 then becomes vulnerable and a very attractive target. This practice should already be covered in your server installation policy.html 2 © SANS Institute 2003. many UNIX like operating systems are installed with sendmail enabled by default while older versions of © sendmail are known to contain weaknesses and vulnerabilities. Installation rr ho It is critical that Squid be installed on a dedicated server located in a secure ut restricted room. . Author retains full rights. Since commercial products are very igh expensive.cert.

proxy servers are often targeted by hackers. Applying multiple tu layers of defense limits your system accessibility.squid-cache. Having the sticky eta bit set prevent cache data from being deleted or altered by another user or other processes on the rr A switched network offers protection against network sniffing and reduces the ho danger of having sensitive information stolen such as usernames and passwords ut used for Squid. the installation of sti firewalls and the use of router access lists are essential in order to restrict In connections to your proxy server. Once you are ready to proceed with the installation. . This only takes a few minutes and can save you from a disaster.txt The integrity of your source file should always be verified.A for an experienced hacker to use more advanced techniques to perform sniffing over a switched network noshell also sends a warning message to the syslog facility whenever a login is attempted with this sandbox user. More relevant information on this topic can be 03 found at the following location: 20 http://www. For example it is possible to execute code with the Squid user igh privileges by sending malformed URL’s.4/bugs Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 fu Squid requires directories to store cache data The purpose of creating a sandbox user is to limit the privileges from which a buffer overflow can be exploited. In addition to Squid. The organization’s web access security should not solely rely on Squid. It is suggested to set the sticky bit in the directories’ permissions. create a sandbox user specifically dedicated to Squid. Author retains full rights. Version access to Squid should be limited to the strict NS minimum.4 is known to contain a few buffer ts overflows. the possibility . Some people learned that the very hard way after running sendmail from sources that contained a Trojan horse.squid-cache. Even if switched network is highly recommended. Assign an invalid shell to the sandbox user or consider a free program called noshell. Noshell can be downloaded at the following location: http://www.php 3 © SANS Institute 2003. However. refer to the Squid bug list available at the following location: ll r http://www. SA Squid does not provide PGP signature at the present time. In addition to being an invalid shell. For additional details and patches on this vulnerability. Ensure that only the Squid ins user (sandbox) has read/write/execute access to these Refer to the following Key fingerprint link for = AF19 FA27 SANS 2F94 newsletter 998D FDB5 DE3Don Trojan horse F8B5 06E4 found A169 in 4E46 sendmail: http://www.php te Strong security can only be achieved with defense in depth. MD5 checksum is available at: © ftp://ftp. As mentioned earlier. Thus. As part of the Information Security Reading Room.

Therefore. In some cases.5.visolve.5.50.50. http_port 10. visit the Visolve web site at: ts http://squid.1 interface.1:7548 will make Squid listen on port 7548 on 10. Setting the maximum_object_size too In high would make it possible for an attacker to overload your proxy server by requesting numerous large objects and therefore slow down other proxy users. Configuration Squid involves a large number of parameters and options. any request coming from other interfaces will be ho ignored. As part of the Information Security Reading Room. Since port scanners are likely to assume 3128 and 8080 for proxy service. If more than one interface is used.A maximum_object_size value 03 minimum_object_size value 20 Data stored locally by a proxy server is often referred to as an object. This option is also interesting in a security standpoint since it sti helps to protect against a denial of The default password sent by Squid to anonymous FTP sites is assigned by the ftp_user option. quick_abort_max. FTP sites look for valid email 4 © SANS Institute 2003. NS This type of denial of service attack can be performed even more easily if Squid SA is configured to continue downloading objects after the request has been cancelled. this is Squid’s default configuration but it can be changed using quick_abort_min. quick_abort_pct options. Author retains full rights.htm igh http_port ll r Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 The option http_port defines which port number squid listens to for incoming fu requests. For rr example.conf. © ftp_user Squid@ ftp_passwive on ftp_sanitycheck on Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 It is important to understand that Squid is not an FTP proxy but it supports FTP through HTTP. If your server has more than one interface. This configuration file is stored on the system at the following location: {INSTALLPATH}/etc/squid. . . The te parameters max_object_size and minimum_object_size allows forcing limits on tu the size of a cached object. Squid supports multiple http_port ut lines. The default port is 3128 but it is recommended to change this port ins number to any other available port in the high range. you can restrict the IP address on which it listens to. Unfortunately. The primary goal of this option is to optimize the cache/HIT ratio. The default configuration file already includes minimal documentation to get started. For additional information on Squid parameters.default This paper will only cover the most important parameters that can affect the security of the proxy server. running Squid on any other eta free port in the high range will make its detection more difficult.

Microsoft policy tools can be used to In prevent people from selecting this feature in internet explorer. NS SA The parameter authenticate_ip_ttl defines how long a client’s authentication should be bound to a particular IP address.html . Firewalls generally ts need fixups in order to handle an active FTP session. Additional details ho on this Squid vulnerability can be found at the following location: ut http://www. Key fingerprint = AF19 FA27 value request_header_max_size 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 The request_header_max_size option is used to limit the size of acceptable HTTP headers.conf file. The default value of 10 kilobytes is more than reasonable since 5 © SANS Institute 2003. The passive mode is considered to be more secure because it uses 2 fixed ports. addresses used as a As part of the Information Security Reading Room. A compromised DNS rr server is often used by attackers to divert proxy servers and certain Squid versions can be crashed by sending malformed DNS answers. one for connection and one for data transfer while the active mode uses ephemeral ports. Create a valid email alias that will serve exclusively to this purpose and make sure emails sent to this address can be read regularly. Author retains full rights. This email address will be used to report any abuse coming from your proxy server.A authenticate_ttl value 03 authenticate_ip_ttl value 20 When authentication is used. The option ftp_passive is turned on by default and should be left as is unless your firewall does not support passive mode. This parameter should therefore be used with precaution. Recent versions of squid igh now offer the ftp_sanity_check option. The purpose of this parameter is to discourage people from sharing their passwords among themselves. the parameter authenticate_ttl defines how long te Squid is to remember client authentication information. . This option forces the tu client to re-authenticate himself after the specified period (TTL) has expired.xatrix. The above should be covered in your organization’s internet usage policy. Name servers used by squid must come from trustable sources and configured safely. The © downside of using this parameter is it can inadvertently block legitimate access to some clients where IP addresses are subject to change regularly such as dialup users. Different name servers eta can be listed by using dns_nameservers directive. left fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 fu dns_nameservers value ins Squid uses the name servers listed in /etc/resolv. Recent versions of internet explorer allow you to remember username and sti password making this option useless. This option uses an extensive mechanism to ensure the connection is established with the requested server and it must be ll r Keyon.

A From a security perspective. client_lifetime value pconn_timeout value The client_lifetime sets the maximum time a client is allowed to be bound to a ts Squid process. etc) • method: HTTP request method (get. Most denial of service attacks against proxy servers are attempted by sending them headers larger than what they can handle. The pconn_timeout parameter is similar to the eta client_lifetime parameter with the exception that it only applies to idle connections. An attacker can take fu advantage of a lifetime that is too long by opening a large number of sockets. It is ll r common to see Key fingerprint = clients connected AF19 FA27 for hours 2F94 998D FDB5 during the course DE3D F8B5 of a working 06E4 A169 4E46 day but most of the time. te tu According to the Squid FAQ. acl defines the element to be controlled and http_access permits or denies the element. As part of the Information Security Reading Room. Two parameters are required to 20 achieve this control. these are simply hang-up processes. igh Depending on your organization setup. a lifetime of 6 hours would probably be appropriate while a lifetime of 24 hours would be considered quite long. This protects your server from having too many sockets opened. etc) 6 © SANS Institute 2003. leaves out the protocol and hostname Key•fingerprint port: destination (server) = AF19 FA27 2F94 port 998Dnumber FDB5 DE3D F8B5 06E4 A169 4E46 • myport: local port number that client connected to • proto: transfer protocol (http. This controls whatever a 03 particular HTTP request is permitted or denied. Author retains full rights. ftp. . rr Acl aclname element ho http_access permit|deny aclname ut . This option should therefore be left to its default value and never be disabled. the possible elements are: sti • src: source (client) IP addresses In • dst: destination (server) IP addresses • myip: the local IP address of a client's connection NS • srcdomain: source (client) domain name • SA dstdomain: destination (server) domain name • srcdom_regex: source (client) regular expression pattern matching • dstdom_regex: destination (server) regular expression pattern matching © • time: time of day. a longer client lifetime period makes Squid more vulnerable to this type of denial of service attack. the average header size is approximately 512 bytes while very large headers may hit kilobytes. and day of week • url_regex: URL regular expression pattern matching • urlpath_regex: URL-path regular expression pattern matching. post. one of the most important section of the configuration file is the access control list (ACL’s). ins Therefore.

A Acl all src 0. . 20 http_access allow mainplan # Allow IP addresses from 10.0. ho The following is an example of limiting proxy access from source addresses ut 10. Acl mainplan src 10.0. A eta good practice would consist of including an http_access deny all statement at the end of your ACL’s list. # Every IP addresses.255. port 25 should SA never be included to your list of trusted ports.0.50.0 network.0/255. The example below demonstrates how multiple port numbers can be specified and how they © can be placed on the same declaration line: Acl all src 0. • browser: regular expression pattern matching on the request's user-agent header • ident: string matching on the user's name • ident_regex: regular expression pattern matching on the user's name • src_as: source (client) Autonomous System number • dst_as: destination (server) Autonomous System number • proxy_auth: user authentication via external processes • proxy_auth_regex: user authentication via external processes • snmp_community: SNMP community string matching ts • maxconn: a limit on the maximum number of connections from a single igh client IP address • req_mime_type: regular expression pattern matching on the request ll r content-type Key fingerprint header = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 • arp: Ethernet (MAC) address matching fu ins Squid ACL’s are first match meaning that the first http_access statement permitting/denying the request wins over any other declaration thereafter. tu The trusted_ports is one of the most important acl element and is used to restrict sti connections to certain port numbers.0 network.0.50.50. Port numbers should never be added simply because you think you might need them some day. Note that HTTP and NS SMTP headers are very similar in design and because of this.0.0/0.0.50. The best approach for this declaration is to In strictly add the port numbers as needed. Including port 25 would make it possible for someone to relay email messages through Squid.0 network.0 # Every IP addresses. # IP addresses from 10. This will make whatever is not explicitly permitted to be rr denied by default.0: .0.0/255. As part of the Information Security Reading Room. Author retains full rights.0 # IP addresses from 10.50. 03 Acl mainplan src 10.0.0 network. te http_access deny all # Deny every IP addresses.0. 7 © SANS Institute 2003. Keytrusted_ports Acl fingerprint = AF19 port FA27 21 802F94 443 998D # ListFDB5 DE3Dports of trusted F8B5 06E4 A169 4E46 http_access deny !trusted_ports # Deny if not a trusted port http_access allow mainplan # Allow IP addresses from 10.0/0.0/255.

isi. Squid supports two authentication methods.50. Basic authentication method is an acceptable choice.0 # Every IP addresses. 8 © SANS Institute 2003.A with authentication: 03 # Required parameters 20 auth_param basic program {PATH}/libexec/ncsa_auth {PATH}/etc/passwd auth_param basic children 5 te auth_param basic credentialsttl 2 hours tu auth_param basic realm External network access sti The main purpose of the auth_param basic program parameter is to specify In which helper is to be used by Squid. Various authentication modules such as NCSA. The auth_param basic children states how many children helper process to start and auth_param basic credentialsttl NS protects against replay attacks by specifying how long usernames and SA passwords are valid for. http_access deny all # Deny every IP addresses.0. auth_param basic realm is the message displayed in the browser authentication dialog box. read the RFC 2617 available at: fu ftp://ftp. Keypasswd Acl proxy_auth fingerprint REQUIRED = AF19 FA27 2F94 998D# FDB5 True ifDE3D authentication F8B5 06E4isA169 successful.txt ins The acl proxy_auth REQUIRED declaration is used to define that authentication eta will be used. In ll r other cases. 4E46 http_access deny !trusted_ports # Deny if not on a trusted port number. this feature will make the monitoring task much easier by showing the username along with the GET request log entry. This declaration combined with http_access will prompt the client browser to specify a username and password before allowing the request.255.0. LDAP and NTLM are supported by Squid and referred to as helpers. Finally. For complete details on these methods.0 # IP addresses from 10. Squid supports authentication and its usage is strongly encouraged.0.0.0/0. the Key fingerprint Digest = AF19 authentication FA27 method 2F94 998D FDB5 is undoubtedly DE3D the method F8B5 06E4 A169 4E46 to be used.0.0. As part of the Information Security Reading Room. Acl mainplan src 10. Basic sends password in igh cleartext while Digest sends it encrypted.0. the browser uses credentials to remember this information for future requests. In addition to providing more security. If authentication is only required for accounting Author retains full rights.0/255. Below is an example of enabled authentication with Basic NCSA helper: © Acl all src 0.50. After rr having entered the username and password. ho ut The following required parameters should be inserted before going any further . These methods are known as Basic ts and Digest and are differentiated by encryption. Acl trusted_ports port 21 80 443 # Port numbers to be trusted. .0 network.

Acl declarations must be defined in your configuration to enable delay pools. In a security point of view.0. . Turning off this header might cause clients some problems accessing certain web sites. ll r Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 cache_effective_user nobody fu cache_effective_group nobody ins The cache_effective_user and cache_effective_group options specify under eta which user and group Squid will be running. igh Squid does not have a default maximum body size. http_access deny all # Deny every IP addresses. this option gives you the possibility to limit the network © usage from a particular network leaving more network availability to other services.0 network. In a practical point of view. ho forwarded_for value ut .50. it will cause an infinite loop and possibly crash your proxy server. A reasonable value of approximately 2 megabytes should therefore be considered.A A web server does not see connection with the client but rather sees the connection with the proxy. The defaults are set to user and group nobody. Squid must be compiled to support delay pools. http_access allow mainplan passwd # Allow authenticated users from 10. However. Author retains full rights. As part of the Information Security Reading Room. reply_body_max_size value The reply_body_max_size option imposes a maximum size of a reply body. If someone 9 © SANS Institute 2003. Use this option with care because if the value is smaller than Squid ts error pages. a global delay pool makes it difficult for an attacker to harm other network services by trying to flood your proxy server. turning it off gives you the te advantage of hiding the client’s IP address on the internet which is a very good tu security practice. These values are to be changed to the dedicated (sandbox) user rr as recommended earlier. coredump_dir Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 The coredump_dir is used to indicate where Squid is to save its coredump files. sti delay_pools In delay_access NS The delay_pool option allows you to limit transfer rates. This option is very useful to prevent users from downloading large files such as mpeg video files. To accommodate possible web server ACL’s based 03 on client address. Squid has its own HTTP header called 20 HTTP_FORWARD_FOR. The default is to save coredump into Squid’s installation directory. To help manage network SA bandwidth utilization.

This weakness will definitely need to be improved in upcoming versions of Squid. This option is on by default and should be igh left as such. Since these coredump files can get very huge. If this type of information is not required by your organization. write a script that will run this command periodically. Squid offers you the possibility to turn off logging.log. On the other hand.cgi script.log to log requests. As part of the Information Security Reading Room. turning it off is a very bad idea. . your current access.50. a Squid Acl can be used to limit its access as follows: ho ut acl cachemgr proto cache_object . ll r Cachemgr. Cache hits. This = Key fingerprint fileAF19 can FA27 be rotated by sending 2F94 998D a {INSTALLPATH}/sbin/squid FDB5 DE3D F8B5 06E4 A169 4E46 –k rotate. To manage huge log files effectively. if such information is required. © consider taking advantage of Squid’s peering capabilities. This method is dangerous since username and password are tu directly displayed on the browser address space. disregard installing rr cachemgr. that person would be able to fill the partition in which the coredump files are saved and cause a denial of service.log file will be moved to access.255. Be aware that cachemgr.cgi.255 http_access deny cachemgr !proxyserv 03 20 As a secondary security option.1. This script allows an ins administrator to obtain useful information such as DNS statistics.A acl proxyserv src 10. This makes it much more difficult ts for an attacker to falsify DNS queries.cgi sends over password using an te HTML form.1 and Squid starts over using a new access.log. ignore_unknown_nameservers This option verifies if the nameserver answering the lookup has the same IP address than the one the lookup was sent to. Until then. Dealing with huge log files may become a problem. should find the coredump directory in its default location (/ or /usr). active connections etc… eta This script could be useful to an attacker due to the information it reveals. If performance is a concern for you. Knowing that logging is the only way you can tell what is happening with your server. The performance benefit of turning off logging is simply not worth it! Squid uses access. zip the file and append a 10 © SANS Institute 2003. make sure you change this option to a directory outside a partition critical for system operation. consider another ACL on your web server to access the script.1/255. stay alert for sti eavesdropping! In Logging NS SA To improve performance.255. Author retains full rights.cgi Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 fu Squid comes with a cgi script called cachemgr. In doing so.

50. SA you may want to install HTTP virus filters. This report gives you an overview of where your uses have been. at what 20 time and how long they have spent browsing the internet. This is useful to detect audio/video streaming passing through your proxy server. .somewhere.68.somewhere.log file and generates a well presented HTML 03 report. SquidGuard also offers additional interesting features. If an HTTP filter is considered. Content filtering can be performed on the URL with a Squid acl but you must be aware that large Key fingerprint SquidFA27 = AF19 acl’s2F94 reduce theFDB5 998D proxy’s DE3Dperformance.5. TrendMicro is probably the most popular product which can work with Squid. other softwares can achieve this more efficiently such as SquidGuard which uses Berkeley databases to improve performance.squid-cache. make sure you plan additional resources to deal with the extra load caused by such filter. Archived log files should be saved periodically on safe long term storage for future reference. SARG is the most interesting free log analyzer currently available.177. As part of the Information Security Reading Room.7 TCP_MISS/200 505 GET http://www. Squid has its own logging format but also supports the HTTP standard log format.331 488 10.A In my sti Virus and content filters In Any virus administrator will tell you that keeping anti-virus software up to date on NS every workstation is almost not feasible. A large number of these analyzers are listed on Squid’s web site: ut http://www. In addition. SARG takes your given access. As an additional anti-virus protection. this report will help to detect abusive or abnormal usage of your proxy server.myname [21/Mar/2003:00:02:08 -0500] "GET HTTP/1. One interesting advantage of the Squid log format is its capability of reporting session duration. it © only supports a few operating systems.124 image/gif eta Log Analyzers rr Log analyzers are used to generate comprehensible reports from the access.onda. timestamp to it. HTTP Log format example: ts igh 10. Author retains full myname DIRECT/207.2 . For example.50. the TrendMicro product offers content filtering features. SARG is te available at: tu http://web.log ho file. However. SquidGuard 11 © SANS Institute . F8B5 06E4 IfA169 very4E46 large lists are expected.0" 200 3906 TCP_MISS:DIRECT ll r Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Squid Log format example: fu ins 1048204026. In addition to virus detection capabilities.

ho For optimal security. keeping up to date with Squid’s updates and new 20 discovered vulnerabilities is mandatory. it is imperative to log and monitor Squid.A successfully. can be configured to filter certain keywords from a determined network during a specified Content filters are not 100% effective. People with bad intentions are always coming up with new techniques and ideas to breach It is your duty to be NS one step ahead and the internet is a powerful resource to use for you to maintain SA this tu and Squid’s mailing lists available at: http://www.squid-cache. As part of the Information Security Reading Room. . Two good ways to be kept up to date is to consult Squid’s security advisories at: te http://www. The following is a good example: Will match. 03 As a security professional. One popular technique to avoid content filters consists of inserting HTML tags between words to prevent them from being matched. ts <B>Iamabadword</B> igh Will not match: ll r <B>Iam</B><B>abadword</B> Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 fu Both of the above examples will be displayed as Iamabadword (bold) in an HTML ins document. Many tools have ut been suggested and analyzed in this paper to help you achieve these tasks . SquidGuard is available at: http://www. Author retains full rights. eta Conclusion rr Security precautions must be taken at time of installation and configuration in order to bring Squid’s security to an acceptable risk level for your organization.html sti In Remember that one is never too informed. © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 12 © SANS Institute 2003.squidguard.

4” Mar. 2003) eta 6.squid-cache. .org/tech_tips/unix_configuration_guidelines.squid-cache. References 1. rr URL http://www. 06E4 10.squidguard. SQUID-2002:3” July 3.4 22. 2003) 2. 12. As part of the Information Security Reading (Mar 6.html (Mar 26. 2001. 8. 2003) te tu 2002. 2003) 13 © SANS Institute 2003. 2003) NS SA Dalibor Glavan “Squid Compressed DNS Buffer Overflow Vulnerability” Mar. 2003) Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 13.xatrix. 2003) ll r 4. Brad Powell.php (Mar 26.A URL http://www. “md5s.php (Mar 26. URL http://www. “Squid Mailing lists” Jan. 2003) © 12. “Squid Cache Logfile Analysis Scripts” (Mar 26. 16. 2003) sti In 10.4/bugs (Mar 26. 19. KeySteven Sipes. “Buffer overrun on certain malformed URLs” Sep.squid-cache. URL http://www. 1999. “Noshell Ver 4.squid-cache.0.onda.txt (Mar 26. URL http://web. fingerprint “WhyFA27 = AF19 your2F94 switched 998Dnetwork isn’t F8B5 FDB5 DE3D secure” Sep. URL (Mar 26. (Mar 26. 1.squid-cache. igh URL http://www. 2003) ho 7.2. 2003) 03 8. 2002.cert. URL ftp://ftp. 2002. Unknown.4E46 A169 2002.sans. 2003) ts 3.txt” Mar. URL http://www. Dan Farmer. redirector and access controller for Squid – SquidGuard Ver. Author retains full rights. Squid 2. ut 28. 2003. Squid “SQUID-2002:1.html (Mar 26. Squid Mailing (Mar 26. Pedro L Orso. 2001.txt (Mar 26. “An ultrafast and free filter.isi.sans. Squid URL ftp://ftp. URL http://www. 1999. Lars Erik Haland. Cert Coordination Center “UNIX Configuration Guidelines” Feb.11” Apr. 2003) fu ins 5. URL http://www. 1998. 2003 URL . Cert “Advisory CA-2002-28 Trojan Horse Sendmail Distribution” Oct. SQUID-2002:2. Network Working group “Request for Comments: 2617 .0” Dec 18. 2003. “Squid and Web utilities – SARG Ver 1. Pal Baltzersen. 22.HTTP Authentication: 20 Basic and Digest Access Authentication” June. (Mar 26. Matt Archibald.

Dec 09. 2010 Live Event SANS Security East 2011 New Orleans. 2011 . Last Updated: December 1st. DC Dec 10. 2010 Live Event 2010 SANS OnDemand Books & MP3s Only Anytime Self Paced . 2011 Live Event SANS India 2011 Bangalore. 2011 . LA Jan 20. 2011 Live Event RSA Conference 2011 San Francisco.Jan 27. 2011 Live Event North American SCADA 2011 Lake Buena Vista. 2011 . 2011 Live Event DoD Cyber Crime Conference 2011 Atlanta. GA Jan 21.Feb 19.Feb 14. CA Feb 13.Mar 02. India Feb 14. 2010 .Jan 24.Mar 02. 2010 . AZ Feb 25. 2011 . 2011 . 2011 Live Event SANS Phoenix 2011 Phoenix. 2011 Live Event WhatWorks in Incident Detection and Log Management Summit OnlineDC Dec 08.Dec 17. FL Feb 23. 2010 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Cyber Defense Initiative East 2010 Washington. 2011 .