RE: Reverse proxy scenario

[tim.groenwals () belgacom be]

Hi,

I've done a similar setup here at our company.

I used Stronghold (www.c2.net), and after some configurations problems, it's
running smooth.

- Our clients all have a client certificate
- the reverse proxy has a proxy certificate (seen from the clients, this
acts as a server certificate)
- the reverse proxy performs checks on these client certificates
- the reverse proxy has a client certificate (towards the content server,
can be a private one)
- the content server has a server certificate (towards the rev. proxy, can
be a private one)

So there is a SSL communication between the content server and the reverse
proxy, AND the reverse proxy and the clients.

Regards,

Tim Groenwals
tim.groenwals () belgacom be

-----Original Message-----
From: Carric Dooley [mailto:carric () com2usa com]
Sent: Wednesday, September 20, 2000 7:42 PM
To: firewall-wizards () nfr net; firewall-wizards () nfr com
Subject: [fw-wiz] Reverse proxy scenario


OK.. I don't work much with proxies so I wanted to run this past you guys
and get some input:

I have a client (an internet bank) that wants to secure an account access
front-end.  The architecture is:

A front-end web server protected by FW-1 that the users actually attach to
via SSL.  This web server would then connect back through the FW-1 to a
private DMZ where it would have to speak through an application proxy to get
to another webserver that has a database backend (the golden egg with
account data that we are trying to protect).  The front end web server will
make XML calls (hopefully over SSL or some other encrypted tunnel...
suggestions?) through the proxy to the other database-backended web server.
This way the user never actually interacts with the box that queries the
database.  The mechanism of HOW they do this is beyond of the scope of what
I care about  =), so I don't really want to go there.

I have been researching proxying SSL and it looks like that's a pain in the
a**.  I would like to get some input from anyone that has done revers
http/https setups for companies.  I have looked at using something
specifically for this, like Netscape Proxy, or going with something like
Raptor or Gauntlet so they can add more functionality to this architecture
later on.  I can't find any data on doing this with either Raptor or
Gauntlet however.  I realize the proxy has to have a key for the SSL tunnel,
and then talk to the other server via an ssl tunnel it creates using the web
server's key (if you do ssl from the proxy to the internal web server, which
may or may not be a requirement).  I am trying to get to a place where:

If the front end box is comprimised, the traffic can't be sniffed for
sensitve info.  The intruder would have to traverse the firewall AGAIN, and
then bypass the application proxy, and defeat the security model for the
database to get any info.  I guess the backend webserver is doing dynamic
pages that will be transferred to the front end as static HTML.

Any takers?  =)


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

**** DISCLAIMER **** 
"This e-mail and any attachments thereto may contain information 
which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the recipient(s) named above. 
Any use of the information contained herein (including, but not limited to, 
total or partial reproduction, communication or distribution in any form) 
by persons other than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either 
by telephone or by e-mail and delete the material from any computer. 
Thank you for your cooperation."


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards