Firewall Wizards mailing list archives

RE: RE: Reversise Proxies?

From: "SecurityForums" <SecurityForums () sanctuminc com>
Date: Sun, 11 Mar 2001 14:12:13 +0200

Dear Robert,

In your message below, you ask about the ability of AppShield to respond to
new web-server attacks without issuing patches. Gladly, AppShield provides
defense for web-server in a manner that does not require constant patching
and updating of the web-servers (or AppShield). The security concept upon
which AppShield is built completely avoids this issue by specifying positive
security policy (what should enter the site) rather than negative policy
(what shouldn't enter the site). As such, new attacks are by definition
disallowed.

We hope this answers your question. For more inforamation, please call us or
visit our site: http://www.sanctuminc.com. For information about AppShield,
go
directly to http://www.sanctuminc.com/solutions/appshield/index.html .

Thanks,

Security Forums Group
Sanctum Inc
Tel: 408 855 9500 x206
email: securityforums () sanctuminc com
www.sanctuminc.com




Thank you,
        I'm not currently in the market for a reverse proxy, which is
why I did not talk about specific products, but instead tried to clarify
what a product needs to be a worthwhile reverse proxy. It does sound
like your product would be worth investigating for new sites.=20

On the more general side, I have not done a market review for some time
- on the commercial side the air-gap appliance was touted as having a
similar set of functionality. The Novell NCS suite, and the MS ISA
products seem a little below the functionality barrier from what I've
seen. On the free software side, both apache, with mod_rewrite (already
mentioned) and squid (not mentioned so far) have the capability to
perform fine grained access checks. I'm not aware of any other free
software packages aimed at http reverse proxying, with the fine grained
control we're talking about.

In my view one significant benefit of a roll-your-own environment is the
flexability to quickly add protection against new web server attacks.
        - Does your product allow that? or do you require the users to
wait for patchs?


Does anyone know of any other commercial reverse proxies along similar
lines? Are there existing market reviews? I'd be willing to do a review
if there is significant interest among the list readers. (please mail me
direct regarding that so as not to flood the list).

Rob

-----Original Message-----
From: SecurityForums [mailto:SecurityForums () sanctuminc com]
Sent: Sunday, March 04, 2001 11:43 PM
To: Robert Collins
Cc: firewall-wizards () nfr com
Subject: RE: Reversise Proxies? (was Re: [fw-wiz] Next Generation
Security Architecture - TO MODERATOR - CORRECTED COPY)
=20
=20
Dear Sir,
=20
The features you relate to in your discussion of reverse=20
proxy are already
implemented in a commercially available product. This product
is a reverse proxy that protects the HTTP layer and the=20
application layer
(logic) of a web-site. It protects against, among other things:
=20
- web-server specific attacks (Unicode, ::$DATA, double-dots, forceful
browsing, directory listing, etc.)
=20
- buffer overflows of various kinds (in the URL/query, in=20
HTTP fields, and
even more importantly, in HTML form fields!)
=20
- breaching the application logic - if you're not allowed to=20
access a URL,
then you can't, and if a script expects its parameters in a=20
certian format,
it will be enforced. This includes enforcing consistency of hidden
parameters.
=20
- cookie poisoning - cookies sent to the client are not=20
allowed to change.
=20
It also does an excessive logging of each request.
=20
The product name is AppShield, by Sanctum Inc.=20
(http://www.sanctuminc.com)
=20
If you need further assistance, please call us.
=20
Thanks,
=20
Security Forums Group
Sanctum Inc
Tel: 408 855 9500 x206
email: securityforums () sanctuminc com
www.sanctuminc.com
=20
=20
=20
=20



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Reversise Proxies? Robert Collins (Mar 05)
- Re: RE: Reversise Proxies? Balazs Scheidler (Mar 14)
- <Possible follow-ups>
- RE: RE: Reversise Proxies? SecurityForums (Mar 11)