Security Basics mailing list archives
Re: A Good Reverse Proxy Product
From: Adriel Desautels <adriel () netragard com>
Date: Mon, 05 May 2008 16:47:21 -0400
Aron,Its funny how sometimes the most simple solutions evade us isn't it? I'd have to agree with what you said re: the VPN.
Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Aaron Howell wrote:
Dan Lynch wrote:AFAIK, a simple HTTP reverse proxy offers very little protection against attack. This is not my area of expertise, so please correct me if I'm wrong.You're not wrong, but you're not quite right, either... (IMHO, of course...)I've had recent need to address just this question, and from what I can determine, a simple reverse proxy protects your web server (the OWA server in your case) only against IP stack attacks. It does not protect against attacks targeting HTTP or the web application itself.This is basically true, but it's not quite that cut-and-dried.One needs to add a certain amount of application-layer logic to the proxy in order to restrict what HTTP methods are allowed, lengths and content of specific fields, session state-based attacks, SQL injection,etc..If you add mod_security to an Apache reverse proxy, you get most (all? I'd have to do more checking than I have time for right now..) of this functionality. This is important for OWA especially as it wants to be a domainmember server, leaving you with a domain member exposed to direct internet connections, and the losing battle of trying to control Microsoft domain traffic through a firewall.This is a really good point that nobody else has brought up. The rest of your post is also very informative, I just wanted to correct the point about Apache... If I can drift slightly off-topic: If it were my job to attempt to secure this OWA server, I would push hard for VPN access for the people needing to access it remotely, instead of trying to hide it behind a proxy/webapp Firewall/etc. You then remove it's visibility to the Internet entirely (from the web-application standpoint, anyway...), and don't have to worry (as much) about it.
Current thread:
- Re: A Good Reverse Proxy Product Jon Kibler (May 01)
- Re: A Good Reverse Proxy Product Adriel Desautels (May 01)
- <Possible follow-ups>
- RE: A Good Reverse Proxy Product Dan Lynch (May 01)
- Re: A Good Reverse Proxy Product Aaron Howell (May 02)
- Re: A Good Reverse Proxy Product Adriel Desautels (May 05)
- Re: A Good Reverse Proxy Product Aaron Howell (May 02)
- Re: A Good Reverse Proxy Product Aiko Barz (May 02)
- Re: A Good Reverse Proxy Product David Glosser (May 05)