Security Basics mailing list archives

Re: A Good Reverse Proxy Product

From: Jon Kibler <Jon.Kibler () aset com>
Date: Wed, 30 Apr 2008 19:16:01 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Guibord wrote:


Greetings to all,

We have a new MS Exchange server and the administrator wants to provide remote Outlook Web Access access to it from 
the internet.
As opposed to having a direct outside to inside translation to it I was told that we could put a reverse proxy server 
in the DMZ and then provide a DMZ to inside translation form there.

First of all does this sound like the safest approach and if so can anyone provide the name of a good stable/secure 
reverse proxy product.

Thanks,

Paul


Paul,

Besides remote web access for Lookout -- I'm sorry, I mean Outlook --
what other factors are driving this request / need?
   -- Caching data for frequently visited sites?
   -- Restricting what can be accessed on the web?
   -- Network admission control?
   -- Malware scanning?
   -- Cost?
   -- Performance?

I never trust software to do anything that cheap hardware can do better.
 Any NAT functionality is functionality best performed by a router or
firewall.

What type of network connection to you have?
   -- DSL? Get a Cisco877 SEC K9. It supports inbound static NAT. But,
even better, it supports SSL VPNs for web access to internal services
such as email -- and other high-end security features not found on most
DSL routers. (Plus, it is a lot cheaper than buying a windows box and ISA!)
   -- T1 to 4xT1? Get a Cisco2811. Supports all of the above and more.
   -- > 4xT1? You definitely do NOT want a proxy like ISA!

Again, always go with hardware! It may sometimes cost a few more $$ up
front, but any difference will pay for itself in no time at all.

Now if your REALLY have security as an objective, you want to look at
something like websense or surfcontrol. I like websense primarily
because you can do content filtering on the fly in any of the 28xx or
87x series routers. You would be surprised how much less malware you
will get with such a solution.

DISCLAIMER: I am not associated with any of the vendors or products I
mentioned above.

Hope this helps!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgY/bEACgkQUVxQRc85QlN+bgCfdLX+R9O4w59po82tzCE/D9D+
kf4AmwdsDPcl6oBPUsPHhlX5Oor06jo9
=oLYd
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Current thread:

Re: A Good Reverse Proxy Product Jon Kibler (May 01)
- Re: A Good Reverse Proxy Product Adriel Desautels (May 01)
- <Possible follow-ups>
- RE: A Good Reverse Proxy Product Dan Lynch (May 01)
  - Re: A Good Reverse Proxy Product Aaron Howell (May 02)
    - Re: A Good Reverse Proxy Product Adriel Desautels (May 05)
- Re: A Good Reverse Proxy Product Aiko Barz (May 02)
- Re: A Good Reverse Proxy Product David Glosser (May 05)