Re: Reverse Proxy on DMZ

["Matt McClung, CCSA/CCSE" <mmcclung () ndwcorp com>]

I would disagree.  I have had to setup a proxy on a seperate DMZ off the
firewall that I allowed to access an inside web server.  There was a need
for this setup (outside developers for web app needed access to dev. server)
.  What you need to do is a couple things:

  1. Harden your proxy server (I used Novell's BorderManager which made it
harder in the 1st place)
  2. Verify you security from the inside and outside (scan both sides,
audit, review)
  3. Require strong authentication - 1 time passwords etc.
  4. Make sure you have good audit trails and logs.
  5. Make sure your proxy server has the ability to limit where the users
can go...policy based

With these steps, good design and following general security practices on
your web server you should have a good solution.

Matt McClung, CCSA/CCSE
Net.Works Security Engineer
mmcclung () ndwcorp com

-----Original Message-----
From: Perry E. Metzger <perry () piermont com>
To: Joel Snider <joel_snider () yahoo com>
Cc: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Tuesday, January 12, 1999 5:34 PM
Subject: Re: Reverse Proxy on DMZ


> Joel Snider <joel_snider () yahoo com> writes:
> > I am sure that this has been discussed here before, but was unable to
> > find any references in the archives.  What are the pros and cons of
> > using a proxy (caching) server on a DMZ segment to allow access to an
> > internal web server?  The DMZ is hanging off a segment on a firewall.
> > The server would be used to provide extranet applications. Any
> > comments would be greatly appreciated. Thanks...
>
> One questions what the point of having a firewall is if you are
> providing access to web based applications running inside your
> site. A web server is almost without a doubt the easiest thing to
> break in to, so providing external access to a web server running on
> the inside sort of obviates the whole point of having a firewall in
> the first place.
>
> .pm