Firewall Wizards mailing list archives
RE: Back onto reverse proxies
From: Ben Nagy <ben.nagy () marconi com au>
Date: Wed, 28 Mar 2001 12:03:00 +0930
-----Original Message----- From: stuart.flisher [mailto:stuart.flisher () btinternet com] Sent: Monday, March 26, 2001 10:29 PM To: firewall-wizards () nfr net; firewall-wizards () nfr com Subject: [fw-wiz] Back onto reverse proxies [...] I have recently worked with two clients that have fronted a web server with a proxy server (reverse) for inbound web traffic. Not wanting to discuss SSL issues or load balancing issues - I ask the following: Does a reverse proxy add any value??
Not usually. They can sometimes catch layer 1-4 attacks, which is good if you have a firewall that doesn't already do that.
Consider that the web servers are part of a larger web application infrastructure with app servers, db servers, etc. There is no real web content on the web server as all the pages are dynamic, created by the app server. Isn't the web server, in this environment, already acting as a kind of proxy?
If only that were true! Wouldn't it be great if everyone designed their B2B app servers so that they didn't store any important data on the server itself? [...]
One point mentioned in a previous reverse proxy discussion was that if the traffic both sides was SSL then a compromise of the server would not allow sniffing of the network to find sensitive data. Hey but the server is a proxy creating two connections decrypting inbound and then re-encrypting in a different session outbound. This means that the data is decrypted somewhere, probably in memory, allowing some clever git to read it.
Uh...no. Proxy servers do not and cannot decrypt / re-encrypt SSL traffic. If they did it would be bad. SSL accelerators, on the other hand, basically pretend to be the end server but provide their own cert. However, they don't usually re-encrypt the traffic and send it on though - that would defeat the whole purpose of SSL accelerators.
A possible plus for a proxy that has inbound http/SSL and clear http to the backend is that IDS boxes can read the http traffic looking for attacks
[...] That sort of proxy would be an SSL accelerator. It would almost never be performance-effective to do SSL offload with 'normal' WWW server hardware. You mentioned SSL accelerators - they do that, but they don't normally do IDS. So, one advantage of having SSL accelerators is that you can put NIDS systems behind them, yes.
Comments on the role of a reverse proxy in this scenario would be appreciated.
My personal opinion is fairly aligned with yours. Reverse proxies provide only a marginal security win, unless you have a useless firewall.
Regards Stuart
Cheers, -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Back onto reverse proxies stuart.flisher (Mar 27)
- <Possible follow-ups>
- RE: Back onto reverse proxies Ben Nagy (Mar 28)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- RE: Back onto reverse proxies stuart.flisher (Mar 29)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- Re: Back onto reverse proxies ark (Mar 28)