Security Basics mailing list archives
Re: Reverse proxy versus shifting webserver to DMZ
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Mon, 16 Jul 2007 16:53:00 -0700
Is a reverse proxy really that advantageous over hardening a webserver and shifting it to the DMZ?
In many cases, the company has partial, if not complete control of the web application code, and can therefore implement whatever security precautions are felt to be justified. At the same time, the company or sysadmin may not control or trust the httpd code or underlying operating system code on which the httpd is running. ("Trust" in the sense of withstand malicious attack, that is.) However, the web application may not run on any other platform and may have no more trustworthy substitute. In this case, a reverse proxy running code and an OS you trust, can shield the untrusted code from certain kinds of attack. A reverse proxy is running a full TCP/IP stack. It will reassemble requests spread across fragmented packets, so protective request-matching rules are less easily circumvented. Essentially, it acts as a layer 7 firewall for less cost than dedicated hardware to accomplish the same task. It can also serve to offload the security work to a different server so the real web server can just serve web pages. Reverse proxies are also useful for load balancing, or preventing code on the web server (uploaded by your clueless users, say) from being able to download and serve code from other websites.
Current thread:
- Reverse proxy versus shifting webserver to DMZ barcajax (Jul 16)
- Re: Reverse proxy versus shifting webserver to DMZ jean-philippe luiggi (Jul 17)
- Re: Reverse proxy versus shifting webserver to DMZ MaddHatter (Jul 17)