Firewall Wizards mailing list archives
RE: Reverse proxy ??
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Fri, 05 Nov 1999 11:00:25 -0500
First, a comment... Have the list members noticed that the few disagreements on this list are virtually all regarding terminology? ;) I know that I've been frustrated most of my career by the technologist's syndrome: first we have to define what we're talking about, then we can discuss it. :) Back in the early days of firewalls, I tried to propose a set of terms, many of which stuck ("bastion host", "proxy", etc) but within a few months vendors had made their own interpretations (of course) to suit. The issue of terminology is amazingly frustrating. I don't think it'll go away, either. So, let's all be gracious and as the discussion goes forward, let's remember that when I say "tomato" I probably am talking about "potatoes" :)
I would like to put it to the group to define a Reverse Proxy attack!
A "proxy" or "application gateway" was originally a term used to describe the class of software systems that exist to carry data back and forth (and hopefully apply security policy) between two networks. I would therefore say that a "reverse proxy" is a special case of a proxy, designed to carry traffic from a less trusted network into a more trusted network (again, hopefully applying some kind of security policy). I believe the most commonly used form of reverse proxy is for web traffic - in which a web server inside the firewall is accessed by external systems through the proxy. Proxies may perform caching. Proxies may perform content analysis. Proxies may perform load spreading. Those are details except as they apply to the next definition. A "reverse proxy attack" would be an attack launched through a reverse proxy. This would typically take the form of an attack that triggers a vulnerability in the application server that is being proxied to. So, for example, a reverse proxy attack against a web server would be an attack which could successfully drive a web server buffer overrun through the proxy (in spite of the proxy's security policy/content analysis/caching/etc) and exploit a weakness in the web server. A reverse proxy attack might also successfully exploit a hole in a mail transfer agent, despite the presence of an intervening mail proxy. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- RE: Reverse proxy ??, (continued)
- RE: Reverse proxy ?? Rafi Sadowsky (Nov 04)
- Re: Reverse proxy ?? Rui Pereira (Nov 04)
- RE: Reverse proxy ?? Anton J Aylward (Nov 04)
- RE: Reverse proxy ?? Don Tuer (Nov 05)
- RE: Reverse proxy ?? dreamwvr (Nov 06)
- Re: Reverse proxy ?? Brad Van Orden (Nov 04)
- RE: Reverse proxy ?? Eric Toll (Nov 05)
- RE: Reverse proxy ?? fernando_montenegro (Nov 05)
- RE: Reverse proxy ?? Eric Toll (Nov 05)
- RE: Reverse proxy ?? Scott, Richard (Nov 05)
- RE: Reverse proxy ?? Marcus J. Ranum (Nov 05)
- RE: Reverse proxy ?? Eric Toll (Nov 08)