Re: Reverse proxy versus shifting webserver to DMZ

[MaddHatter <maddhatt+securitybasics () cat pdx edu>]

> Is a reverse proxy really that advantageous over hardening a webserver
> and shifting it to the DMZ?

In many cases, the company has partial, if not complete control of the web
application code, and can therefore implement whatever security precautions
are felt to be justified. At the same time, the company or sysadmin may
not control or trust the httpd code or underlying operating system code
on which the httpd is running. ("Trust" in the sense of withstand malicious
attack, that is.) However, the web application may not run on any other
platform and may have no more trustworthy substitute. In this case, a
reverse proxy running code and an OS you trust, can shield the untrusted
code from certain kinds of attack.

A reverse proxy is running a full TCP/IP stack. It will reassemble requests
spread across fragmented packets, so protective request-matching rules
are less easily circumvented. Essentially, it acts as a layer 7 firewall
for less cost than dedicated hardware to accomplish the same task. It can
also serve to offload the security work to a different server so the real
web server can just serve web pages.

Reverse proxies are also useful for load balancing, or preventing code
on the web server (uploaded by your clueless users, say) from being able
to download and serve code from other websites.