Re: A Good Reverse Proxy Product

[Adriel Desautels <adriel () netragard com>]

Aron,
	Its funny how sometimes the most simple solutions evade us isn't it? 
I'd have to agree with what you said re: the VPN.

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Aaron Howell wrote:
> Dan Lynch wrote:
> > AFAIK, a simple HTTP reverse proxy offers very little protection against
> > attack. This is not my area of expertise, so please correct me if I'm
> > wrong.
>
> You're not wrong, but you're not quite right, either... (IMHO, of course...)
>
> > I've had recent need to address just this question, and from what I can
> > determine, a simple reverse proxy protects your web server (the OWA
> > server in your case) only against IP stack attacks. It does not protect
> > against attacks targeting HTTP or the web application itself.
>
>  This is basically true, but it's not quite that cut-and-dried.
>
> > One needs to add a certain amount of application-layer logic to the
> > proxy in order to restrict what HTTP methods are allowed, lengths and
> > content of specific fields, session state-based attacks, SQL injection,
> > etc.. 
>
>  If you add mod_security to an Apache reverse proxy, you get most (all?
> I'd have to do more checking than I have time for right now..) of this
> functionality.
>
> This is important for OWA especially as it wants to be a domain
> > member server, leaving you with a domain member exposed to direct
> > internet connections, and the losing battle of trying to control
> > Microsoft domain traffic through a firewall.
>
>  This is a really good point that nobody else has brought up. The rest
> of your post is also very informative, I just wanted to correct the
> point about Apache...
>
>  If I can drift slightly off-topic: If it were my job to attempt to
> secure this OWA server, I would push hard for VPN access for the people
> needing to access it remotely, instead of trying to hide it behind a
> proxy/webapp Firewall/etc. You then remove it's visibility to the
> Internet entirely (from the web-application standpoint, anyway...), and
> don't have to worry (as much) about it.