http://www.kb.cert.org/vuls/id/435052
では、
* Internal services that use an authentication scheme (such as a username/password) are not as likely to be affected by this issue.
* Network designs that have limited connectivity between the proxy and internal services will prevent an attacker from obtaining direct access to these services via the proxy. Administrators should consider using access control lists or firewall rules to prevent direct connections between internal servers and proxy servers.
* Administrators should configure the proxy to use the only the protocols and ports which are required for normal operation. In particular, administrators should limit the CONNECT method to only the minimum required port range (usually 443/tcp).
* When possible, router or switch access control lists should be configured to prevent HTTP proxy servers from connecting to servers using ports or protocols that they should normally use. HTTP proxy servers do not usually need to communicate with well known ports other than 80/tcp and 443/tcp.
とある内容が、
http://jvn.jp/cert/JVNVU435052/index.htmlにかかると
* 内部サービスに対して認証機能を使用する。
* 内部サーバとプロキシサーバ間で直接アクセスできないように制御をする。
* CONNECT method で許可するポート番号を必要最小限にする。 (通常は443/tcp)
* プロキシサーバからの不要な接続をルータやスイッチのアクセスコントロールリストを使い、拒否する。 (80/tcp と 443/tcp 以外を拒否するなど)
になる。すごい圧縮率だ(棒読み)。
