Hi Mike.
Huh? Get real, man, with that attitude you shouldn't connect anything to an untrusted network
the point is that even if someone exploits a firewall and got root permissions this person must be the smallest possible threat to the protected network.
Agreed. You try to reach that point using the principles of least privilege and defence in depth.
If you are logged in as root on a computer that acts as a firewall, you must not find any way to exploit the internal network:
Let's say you shouldn't. It is impossible to prevent completely. One, perhaps the main point of defence in depth is to give the defender time to realize he's under (partially successful) attack and react to the threat. Firewalling isn't about complete prevention, that's fiction. It's about protection and buying the time you need to be able to protect the soft and juicy insides.
1) there must not be a ftp client or other tools to download files to that computer, 2) there must not be access to a dns server mapping the protected network thus one must browse the log files to get an idea of the members of the internal network and make it as hard as possible to browse files (no editor), 3) all files should be read only or append only in multiuser mode so the boot structure cannot be manipulated 4) the firewall computer should not do anything but filter and forward traffic
These points all make sense, but they're neither complete nor justified in all situations.
I do not know about squid, but I would put it on a computer behind the firewall. Even for a 100Mbit network connection any old pentium 100 (or mac, or sparc, or whatever) with some ram should be able to handle maximum possible load without problems. Given the fact, that such a computer will cost less than USD 100,-- so cost should not be the reason not to have it!
What does your 'firewall' do? Is it a packet filter, perhaps using ipchains? All that does is look at TCP/IP header information. Any exploit against the squid daemon will work regardless of whether it is running on a separate box or the packet filter, provided they're configured the same way. There's no difference between being root on the packet filter or an internal machine with respect to the danger your internal network is in. The only thing that is more difficult if the squid box is internal is that you need to traverse the packet filter to reach the outside, but that's hardly a problem, since you need to allow that box to access 0.0.0.0/0, TCP ports 1-65535 anyhow, not knowing what ports the world's web servers listen on. It does make sense to place the proxy into a DMZ, either off of a third NIC of the packet filter or by using two packet filters, one in front of the proxy and one behind it, separating the DMZ from the Internet and the internal network respectively. It could also make sense to use a non-caching security proxy, such as http-gw from the TIS FWTK, in the DMZ and employ squid in the internal network only. Cheers, Tobias