Firewall Wizards mailing list archives
Re: Reverse Proxy on DMZ
From: "Perry E. Metzger" <perry () piermont com>
Date: 13 Jan 1999 11:20:27 -0500
"Matt McClung, CCSA/CCSE" <mmcclung () ndwcorp com> writes:
I would disagree. I have had to setup a proxy on a seperate DMZ off the firewall that I allowed to access an inside web server. There was a need for this setup (outside developers for web app needed access to dev. server) . What you need to do is a couple things: 1. Harden your proxy server (I used Novell's BorderManager which made it harder in the 1st place)
Useless. The proxy isn't what you are going to break into. It is the cgi on the destination machine.
2. Verify you security from the inside and outside (scan both sides, audit, review)
Useless. Again, this doesn't prevent the attacker from hitting the thing they are attacking. They have legitimate access to the point of attack, so no amount of scanning will tell you anything.
3. Require strong authentication - 1 time passwords etc.
Not particularly foolproof. This will not prevent attacks from "legitimate" users or attacks based on session stealing.
4. Make sure you have good audit trails and logs.
That won't prevent people from breaking in to your soft chewy middle via CGI bugs and nuking you, either.
5. Make sure your proxy server has the ability to limit where the users can go...policy based
Again, you are letting them go, by design, into the single most dangerous part of your network.
With these steps, good design and following general security practices on your web server you should have a good solution.
That is totally untrue. Indeed, that is highly irresponsible of you to be saying. You seem to have totally missed the point of what the security analysis needs to be worried about. You appear to be holding yourself out as a security professional. I hate to say this, but I fear for your clients. Perry
Current thread:
- Reverse Proxy on DMZ Joel Snider (Jan 10)
- Re: Reverse Proxy on DMZ Paul D. Robertson (Jan 11)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 12)
- <Possible follow-ups>
- Re: Reverse Proxy on DMZ youngk (Jan 12)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ John Kozubik (Jan 18)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Roger Nebel (Jan 20)
- RE: Reverse Proxy on DMZ Andreas Haug (Jan 19)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Matt McClung (Jan 19)
- Re: Reverse Proxy on DMZ Joseph S D Yao (Jan 20)
- Re: Reverse Proxy on DMZ H . (Jan 21)
- Re: Reverse Proxy on DMZ mike . parsons (Jan 21)