Hi all am on my way to redesign our network and the solution that came up was to use a proxy server which we already have to get requests for the users. We have approx 1000+ machines on the network and since we want to do away with our firewall which has proven ineffective, we want to implement parent-child proxing and transparent proxing.
My question is, how do we implement the above without compromising security and how do we ensure that we use only designated ports are enabled eg, 80,22,53 etc.
Am aware of the acl's and the squid.conf file but am running on red hat. In fedora only one line is used to implement the above and since we cant do away with red hat i want to be certain of what changes to make.Thank you.

without meaning to sound erm... condescending... you do what you want with squid by reading the documentation and configuring it accordingly. squid configs do not depend on the distro you are running, if it worked on fedora, it'll work on redhat. if you have specific issues about certain functions of the configuration we'll be happy to help if we can.

hmmm condescending or not i really appreciate your help acid_kwepie.But here is the thing when i was posting the above i knew that the man pages existed and that there was no difference in the distro's. May be let me put it this way:am asking for an opinion from the forum if that's the right way to go without a firewall or not. Seeing that you probably have a different way of understanding my questions ill try to be as concise as a i can next time.
Thank you.

well you should absolutely always have a firewall infront of anything internet facing to protect from the outside world. additionally if you do *route* anything from the inside network to the internet then with multiple users you'd be wanting a firewall to control who can go out to where too. if there is no physical router configured to allow traffic out (including linux running ip masqaurading) and you live in a world that is purely centred around going through a proxy to get anywhere, then you wouldn't necessarily need to control outbound traffic at all. best practises would always have a firewall in both ways though.

I'd rather be more interested in knowing the reasons for your last/present firewall's ineffectiveness. Rectifying them would be best solution in your case.

And if you gonna ask me how am i gonna setup networking in your case;
Then
1. I would rather break those 1000 clients into further sub-lan system(deptt wise breakup). This gives a big security thrust at lan level.
2. With squid(let it be a parent or a child) then i can allow/deny or apply filtering on client-set (what to grant to whom & what to deny to whom).
3. I would rather say a big NO for specifying my squid box to act as the gateway for my clients. (Being first at protection; i will not make my clients aware about the gateway) -(tht wipes out the use of transparent proxy)
4. If you want to block ports with squid; Yes you can do it, you can add or remove them from the list of Safe_ports .
5. After other sort of works being done at squid level; we got to tune up the routing tables (I donot encourage anyone having default gateways at your boxes, you should understand the scope & create routes appropriately).
6. If you are not sure about the usage of IPTABLES; ask someone who specialize to do this (this is a make or break for your whole network)
7. Please also make sure about what exactly your linux boxes are meant of; & hence close all the other services(they unnecessarily open ports & that increase the risk further thereafter)
8. Logging & log analysis is a must in any environment & hence you should use some sniffer/logger or even IDS at your firewall or gateways.

I might have missed few points in there.. but i hope others will do that.

Cheers'
Amit sharma.

Amit sharma thank you so much. Now the reason we are doing away with the fire wall is b'coz its a Sonicwall hardware which was initially intended to cater for a small number of users and since the network has considerably grown, it has been fatigued since it carries out NAT and also serves as a default gateway for all machines. This was the set up used by the previous admin and now we want to restructure the network. We got rid of it for a while and we saw it was actually the cause of the network speed. It still running but before we can think of purchasing a new one we want the proxy to act as a firewall and to implement the parent child proxies.
i have a bit of knowledge on IP tables and i think that will be our next area of study.
I didnt get the above line.However ill get back to you with technical queries if they arise.
thank a lot.

the default for all machines? is that a flat /16 network or a number of interfaces on /24's? if you're using it to route between clients and servers on the same site then you shoudl look to seperate your internal and external routing. you don't necessarily need to firewall clients from servers, depends wholly on your security policies really, but is obviously a good idea. if this functionality can be removed then i'd wager the firewall still have a good life left in it when only used for external connectivity, runngin as a genuine edge firewall.

With that i meant that you should always log packets that traverse through your firewall or maybe the !(packets you find reliable). This usually helps you to tune up your firewall in most of the cases & it also provides you proof against some hacking attempts.

--
And yea as i said that i might have missed some points in there;

9. As you are aware about the bandwidth you have for internet distribution (bandwidth IN not= bandwidth distribution(OUT)); you should always plan it appropriately, i call it as planned distribution; & in more general we call it as traffic shaping or bandwidth shaping. We use tc for this purpose or infact you can implement the same with squid as well.