Re: Reverse proxy scenario

[Predrag Zivic <pzivic () yahoo com>]

Well I don't know the app but this could be something
to think about...

FW1-SSLProxy-ReverseProxy-TransparentProxyFW-WEBDB-ACC

so fw-1 stays as what it was...
SSLProxy - terminates SSL connection (one can use
Alteon SSL Proxy or F5 BIGIP). HTTP traffic is pased
after the proxy, not SSL.
ReverseProxy - does reverse caching of the HTTP (one
can use NetApp caching).
TransparentProxyFW - Proxy based firewall (one can use
gauntlet, raptor or sidewinder) It checks the HTTP
traffic... So no ssl traffic hits the revers caching
or transparent prxy or the back end web/DB server
(passing SSL in my books is dangerous...).
and at the end your WEBDB-ACC info...
There are some problems that you must solve with this
set up (app cookies, network caching etc.) but it can
be done. 

Pez
P.S. This is what I would call paranoid set up but...

--- Carric Dooley <carric () com2usa com> wrote:
> OK.. I don't work much with proxies so I wanted to
> run this past you guys
> and get some input:
>
> I have a client (an internet bank) that wants to
> secure an account access
> front-end.  The architecture is:
>
> A front-end web server protected by FW-1 that the
> users actually attach to
> via SSL.  This web server would then connect back
> through the FW-1 to a
> private DMZ where it would have to speak through an
> application proxy to get
> to another webserver that has a database backend
> (the golden egg with
> account data that we are trying to protect).  The
> front end web server will
> make XML calls (hopefully over SSL or some other
> encrypted tunnel...
> suggestions?) through the proxy to the other
> database-backended web server.
> This way the user never actually interacts with the
> box that queries the
> database.  The mechanism of HOW they do this is
> beyond of the scope of what
> I care about  =), so I don't really want to go
> there.
>
> I have been researching proxying SSL and it looks
> like that's a pain in the
> a**.  I would like to get some input from anyone
> that has done revers
> http/https setups for companies.  I have looked at
> using something
> specifically for this, like Netscape Proxy, or going
> with something like
> Raptor or Gauntlet so they can add more
> functionality to this architecture
> later on.  I can't find any data on doing this with
> either Raptor or
> Gauntlet however.  I realize the proxy has to have a
> key for the SSL tunnel,
> and then talk to the other server via an ssl tunnel
> it creates using the web
> server's key (if you do ssl from the proxy to the
> internal web server, which
> may or may not be a requirement).  I am trying to
> get to a place where:
>
> If the front end box is comprimised, the traffic
> can't be sniffed for
> sensitve info.  The intruder would have to traverse
> the firewall AGAIN, and
> then bypass the application proxy, and defeat the
> security model for the
> database to get any info.  I guess the backend
> webserver is doing dynamic
> pages that will be transferred to the front end as
> static HTML.
>
> Any takers?  =)
>
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards


__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards