Quote:
Originally Posted by immortaltechnique
and since we want to do away with our firewall which has proven ineffective,
|
I'd rather be more interested in knowing the reasons for your last/present firewall's ineffectiveness. Rectifying them would be best solution in your case.
And if you gonna ask me how am i gonna setup networking in your case;
Then
1. I would rather break those 1000 clients into further sub-lan system(deptt wise breakup). This gives a big security thrust at lan level.
2. With squid(let it be a parent or a child) then i can allow/deny or apply filtering on client-set (what to grant to whom & what to deny to whom).
3. I would rather say a big NO for specifying my squid box to act as the gateway for my clients. (Being first at protection; i will not make my clients aware about the gateway) -(tht wipes out the use of transparent proxy)
4. If you want to block ports with squid; Yes you can do it, you can add or remove them from the list of Safe_ports .
5. After other sort of works being done at squid level; we got to tune up the routing tables (I donot encourage anyone having default gateways at your boxes, you should understand the scope & create routes appropriately).
6. If you are not sure about the usage of IPTABLES; ask someone who specialize to do this (this is a make or break for your whole network)
7. Please also make sure about what exactly your linux boxes are meant of; & hence close all the other services(they unnecessarily open ports & that increase the risk further thereafter)
8. Logging & log analysis is a must in any environment & hence you should use some sniffer/logger or even IDS at your firewall or gateways.
I might have missed few points in there.. but i hope others will do that.
Cheers'
Amit sharma.