Re: Reverse Proxy on DMZ

["Perry E. Metzger" <perry () piermont com>]

"Matt McClung, CCSA/CCSE" <mmcclung () ndwcorp com> writes:
> I would disagree.  I have had to setup a proxy on a seperate DMZ off the
> firewall that I allowed to access an inside web server.  There was a need
> for this setup (outside developers for web app needed access to dev. server)
> .  What you need to do is a couple things:
>
>   1. Harden your proxy server (I used Novell's BorderManager which made it
> harder in the 1st place)

Useless. The proxy isn't what you are going to break into. It is the
cgi on the destination machine.

>   2. Verify you security from the inside and outside (scan both sides,
> audit, review)

Useless. Again, this doesn't prevent the attacker from hitting the
thing they are attacking. They have legitimate access to the point of
attack, so no amount of scanning will tell you anything.

>   3. Require strong authentication - 1 time passwords etc.

Not particularly foolproof. This will not prevent attacks from
"legitimate" users or attacks based on session stealing.

>   4. Make sure you have good audit trails and logs.

That won't prevent people from breaking in to your soft chewy middle
via CGI bugs and nuking you, either.

>   5. Make sure your proxy server has the ability to limit where the users
> can go...policy based

Again, you are letting them go, by design, into the single most
dangerous part of your network.


> With these steps, good design and following general security practices on
> your web server you should have a good solution.

That is totally untrue. Indeed, that is highly irresponsible of you to 
be saying. You seem to have totally missed the point of what the
security analysis needs to be worried about.

You appear to be holding yourself out as a security professional. I
hate to say this, but I fear for your clients.

Perry