Security Basics mailing list archives
RE: A Good Reverse Proxy Product
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Thu, 1 May 2008 09:21:21 -0700
AFAIK, a simple HTTP reverse proxy offers very little protection against attack. This is not my area of expertise, so please correct me if I'm wrong. For one thing, I've had no exposure to Apache- or Squid-based solutions. (Linux and open-source are non-starters in my organization.) I've had recent need to address just this question, and from what I can determine, a simple reverse proxy protects your web server (the OWA server in your case) only against IP stack attacks. It does not protect against attacks targeting HTTP or the web application itself. One needs to add a certain amount of application-layer logic to the proxy in order to restrict what HTTP methods are allowed, lengths and content of specific fields, session state-based attacks, SQL injection, etc.. This is important for OWA especially as it wants to be a domain member server, leaving you with a domain member exposed to direct internet connections, and the losing battle of trying to control Microsoft domain traffic through a firewall. Private nets DMZ Internet Exchange --- FW --- OWA/IIS --- FW --- client Placing the web application firewall in front of OWA terminates TCP connections, allows you to enforce security policies on HTTP traffic, and moves the OWA server into the internal network, where Microsoft domain traffic can flow freely. Private nets DMZ Internet Exchange --- OWA/IIS --- FW --- ISA --- FW --- client Even so, I'm not particularly thrilled with allowing connections from internet users in to a domain member OWA in the private network even with a web application firewall in front of a conventional firewall. But there's no better option that I know of for OWA. Microsoft's ISA server suffices for this purpose, but it lacks the flexibility and learning capabilities we want in order to place it in front of other web apps. We looked (briefly) at application layer firewalls by Net Continuum (now owned by Barracuda), Imperva, and F5. The Barracuda product has the best price/features balance for us. ICSA Labs has a useful technology overview: http://www.icsalabs.com/icsa/main.php?pid=e3d8$9aa827fd-6bc89275$b290-f8 90fb17 Especially: https://www.icsalabs.com/icsa/docs/html/communities/WAFwhitepaper.pdf And from Information Security Magazine: http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1 303838,00.html And a fairly recent product shootout: http://www.informationweek.com/news/software/reviews/showArticle.jhtml?a rticleID=186701016&pgno=1&queryText=&isPrev= Best of luck, - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Guibord Sent: Wednesday, April 30, 2008 11:43 AM To: 'security-basics () securityfocus com' Subject: A Good Reverse Proxy Product Greetings to all, We have a new MS Exchange server and the administrator wants to provide remote Outlook Web Access access to it from the internet. As opposed to having a direct outside to inside translation to it I was told that we could put a reverse proxy server in the DMZ and then provide a DMZ to inside translation form there. First of all does this sound like the safest approach and if so can anyone provide the name of a good stable/secure reverse proxy product. Thanks, Paul
Current thread:
- Re: A Good Reverse Proxy Product Jon Kibler (May 01)
- Re: A Good Reverse Proxy Product Adriel Desautels (May 01)
- <Possible follow-ups>
- RE: A Good Reverse Proxy Product Dan Lynch (May 01)
- Re: A Good Reverse Proxy Product Aaron Howell (May 02)
- Re: A Good Reverse Proxy Product Adriel Desautels (May 05)
- Re: A Good Reverse Proxy Product Aaron Howell (May 02)
- Re: A Good Reverse Proxy Product Aiko Barz (May 02)
- Re: A Good Reverse Proxy Product David Glosser (May 05)