Firewall Wizards mailing list archives
Re: Reverse Proxy on DMZ
From: "Matt McClung, CCSA/CCSE" <mmcclung () ndwcorp com>
Date: Wed, 13 Jan 1999 08:43:47 -0700
I would disagree. I have had to setup a proxy on a seperate DMZ off the firewall that I allowed to access an inside web server. There was a need for this setup (outside developers for web app needed access to dev. server) . What you need to do is a couple things: 1. Harden your proxy server (I used Novell's BorderManager which made it harder in the 1st place) 2. Verify you security from the inside and outside (scan both sides, audit, review) 3. Require strong authentication - 1 time passwords etc. 4. Make sure you have good audit trails and logs. 5. Make sure your proxy server has the ability to limit where the users can go...policy based With these steps, good design and following general security practices on your web server you should have a good solution. Matt McClung, CCSA/CCSE Net.Works Security Engineer mmcclung () ndwcorp com -----Original Message----- From: Perry E. Metzger <perry () piermont com> To: Joel Snider <joel_snider () yahoo com> Cc: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Tuesday, January 12, 1999 5:34 PM Subject: Re: Reverse Proxy on DMZ
Joel Snider <joel_snider () yahoo com> writes:I am sure that this has been discussed here before, but was unable to find any references in the archives. What are the pros and cons of using a proxy (caching) server on a DMZ segment to allow access to an internal web server? The DMZ is hanging off a segment on a firewall. The server would be used to provide extranet applications. Any comments would be greatly appreciated. Thanks...One questions what the point of having a firewall is if you are providing access to web based applications running inside your site. A web server is almost without a doubt the easiest thing to break in to, so providing external access to a web server running on the inside sort of obviates the whole point of having a firewall in the first place. .pm
Current thread:
- Reverse Proxy on DMZ Joel Snider (Jan 10)
- Re: Reverse Proxy on DMZ Paul D. Robertson (Jan 11)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 12)
- <Possible follow-ups>
- Re: Reverse Proxy on DMZ youngk (Jan 12)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ John Kozubik (Jan 18)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Roger Nebel (Jan 20)
- RE: Reverse Proxy on DMZ Andreas Haug (Jan 19)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Matt McClung (Jan 19)
- Re: Reverse Proxy on DMZ Joseph S D Yao (Jan 20)
- Re: Reverse Proxy on DMZ H . (Jan 21)
(Thread continues...)