RE: A Good Reverse Proxy Product

["Dan Lynch" <DLynch () placer ca gov>]

AFAIK, a simple HTTP reverse proxy offers very little protection against
attack. This is not my area of expertise, so please correct me if I'm
wrong. For one thing, I've had no exposure to Apache- or Squid-based
solutions. (Linux and open-source are non-starters in my organization.)

I've had recent need to address just this question, and from what I can
determine, a simple reverse proxy protects your web server (the OWA
server in your case) only against IP stack attacks. It does not protect
against attacks targeting HTTP or the web application itself. 

One needs to add a certain amount of application-layer logic to the
proxy in order to restrict what HTTP methods are allowed, lengths and
content of specific fields, session state-based attacks, SQL injection,
etc.. This is important for OWA especially as it wants to be a domain
member server, leaving you with a domain member exposed to direct
internet connections, and the losing battle of trying to control
Microsoft domain traffic through a firewall. 

     Private nets                DMZ                Internet

     Exchange --- FW --- OWA/IIS --- FW --- client


Placing the web application firewall in front of OWA terminates TCP
connections, allows you to enforce security policies on HTTP traffic,
and moves the OWA server into the internal network, where Microsoft
domain traffic can flow freely.

              Private nets                     DMZ              Internet

     Exchange --- OWA/IIS --- FW --- ISA --- FW --- client


Even so, I'm not particularly thrilled with allowing connections from
internet users in to a domain member OWA in the private network even
with a web application firewall in front of a conventional firewall. But
there's no better option that I know of for OWA.

Microsoft's ISA server suffices for this purpose, but it lacks the
flexibility and learning capabilities we want in order to place it in
front of other web apps. We looked (briefly) at application layer
firewalls by Net Continuum (now owned by Barracuda), Imperva, and F5.
The Barracuda product has the best price/features balance for us.

ICSA Labs has a useful technology overview:
http://www.icsalabs.com/icsa/main.php?pid=e3d8$9aa827fd-6bc89275$b290-f8
90fb17

Especially:
https://www.icsalabs.com/icsa/docs/html/communities/WAFwhitepaper.pdf

And from Information Security Magazine:
http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1
303838,00.html

And a fairly recent product shootout:
http://www.informationweek.com/news/software/reviews/showArticle.jhtml?a
rticleID=186701016&pgno=1&queryText=&isPrev=

Best of luck,

- Dan


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Paul Guibord
> Sent: Wednesday, April 30, 2008 11:43 AM
> To: 'security-basics () securityfocus com'
> Subject: A Good Reverse Proxy Product
>
>
>
> Greetings to all,
>
> We have a new MS Exchange server and the administrator wants 
> to provide remote Outlook Web Access access to it from the internet.
> As opposed to having a direct outside to inside translation 
> to it I was told that we could put a reverse proxy server in 
> the DMZ and then provide a DMZ to inside translation form there.
>
> First of all does this sound like the safest approach and if 
> so can anyone provide the name of a good stable/secure 
> reverse proxy product.
>
> Thanks,
>
> Paul