Our guiding principle in developing solutions to address these security problems is to allow users at PlanetLab sites as much access to the Web as they would have without using a proxy, and to allow other users as much ``safe'' access as possible. To tailor access policies, we classify client IP addresses into three groups - those local to this CoDeeN node, those local to any site hosting a PlanetLab node, and those outside of PlanetLab. Note that our security concerns focus on how we handle possibly malicious client traffic, and not node compromise, which is outside the scope of this paper.