Firewall Wizards mailing list archives
RE: RE: Reversise Proxies?
From: "SecurityForums" <SecurityForums () sanctuminc com>
Date: Sun, 11 Mar 2001 14:12:13 +0200
Dear Robert, In your message below, you ask about the ability of AppShield to respond to new web-server attacks without issuing patches. Gladly, AppShield provides defense for web-server in a manner that does not require constant patching and updating of the web-servers (or AppShield). The security concept upon which AppShield is built completely avoids this issue by specifying positive security policy (what should enter the site) rather than negative policy (what shouldn't enter the site). As such, new attacks are by definition disallowed. We hope this answers your question. For more inforamation, please call us or visit our site: http://www.sanctuminc.com. For information about AppShield, go directly to http://www.sanctuminc.com/solutions/appshield/index.html . Thanks, Security Forums Group Sanctum Inc Tel: 408 855 9500 x206 email: securityforums () sanctuminc com www.sanctuminc.com Thank you, I'm not currently in the market for a reverse proxy, which is why I did not talk about specific products, but instead tried to clarify what a product needs to be a worthwhile reverse proxy. It does sound like your product would be worth investigating for new sites.=20 On the more general side, I have not done a market review for some time - on the commercial side the air-gap appliance was touted as having a similar set of functionality. The Novell NCS suite, and the MS ISA products seem a little below the functionality barrier from what I've seen. On the free software side, both apache, with mod_rewrite (already mentioned) and squid (not mentioned so far) have the capability to perform fine grained access checks. I'm not aware of any other free software packages aimed at http reverse proxying, with the fine grained control we're talking about. In my view one significant benefit of a roll-your-own environment is the flexability to quickly add protection against new web server attacks. - Does your product allow that? or do you require the users to wait for patchs? Does anyone know of any other commercial reverse proxies along similar lines? Are there existing market reviews? I'd be willing to do a review if there is significant interest among the list readers. (please mail me direct regarding that so as not to flood the list). Rob
-----Original Message----- From: SecurityForums [mailto:SecurityForums () sanctuminc com] Sent: Sunday, March 04, 2001 11:43 PM To: Robert Collins Cc: firewall-wizards () nfr com Subject: RE: Reversise Proxies? (was Re: [fw-wiz] Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY) =20 =20 Dear Sir, =20 The features you relate to in your discussion of reverse=20 proxy are already implemented in a commercially available product. This product is a reverse proxy that protects the HTTP layer and the=20 application layer (logic) of a web-site. It protects against, among other things: =20 - web-server specific attacks (Unicode, ::$DATA, double-dots, forceful browsing, directory listing, etc.) =20 - buffer overflows of various kinds (in the URL/query, in=20 HTTP fields, and even more importantly, in HTML form fields!) =20 - breaching the application logic - if you're not allowed to=20 access a URL, then you can't, and if a script expects its parameters in a=20 certian format, it will be enforced. This includes enforcing consistency of hidden parameters. =20 - cookie poisoning - cookies sent to the client are not=20 allowed to change. =20 It also does an excessive logging of each request. =20 The product name is AppShield, by Sanctum Inc.=20 (http://www.sanctuminc.com) =20 If you need further assistance, please call us. =20 Thanks, =20 Security Forums Group Sanctum Inc Tel: 408 855 9500 x206 email: securityforums () sanctuminc com www.sanctuminc.com =20 =20 =20 =20
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Reversise Proxies? Robert Collins (Mar 05)
- Re: RE: Reversise Proxies? Balazs Scheidler (Mar 14)
- <Possible follow-ups>
- RE: RE: Reversise Proxies? SecurityForums (Mar 11)