Firewall Wizards mailing list archives
Reversise Proxies? (was Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY)
From: "Robert Collins" <robert.collins () itdomain com au>
Date: Tue, 27 Feb 2001 07:52:02 +1100
----- Original Message ----- From: "Ng Pheng Siong" <ngps () post1 com> To: "Robert Collins" <robert.collins () itdomain com au> Cc: <firewall-wizards () nfr net> Sent: Tuesday, February 27, 2001 2:11 AM Subject: Re: [fw-wiz] Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY
AFAIK some of the commercial reverse proxies will perform
authentication
on behalf of the webserver.Then the reverse proxy is really telling the webserver "trust me" when communicating the identity of the client. Apart from the (imho fallacious) warm fuzzy feeling that "our real webserver is no longer exposed to direct attack from the Internet", I
don't
see value in a reverse proxy - the reverse proxies I've seen in
production
simply relay stuff back and forth.
Well I wouldn't really call them reverse proxies if they don't do any protocol validation or access control. I believe a good reverse proxy has a lot of value as an element in a defense in depth strategy. And if it simply relay's requests without any intelligence, then the webserver is not really protected... I believe a reverse proxy should a) be capable of filtering attacks that the webserver is known to be vulnerable to (IIS Unicode anyone? Excessively long URL's?) b) be based on a different platform than the protected webserver (ie if your webserver is apache, don't use apache's mod_proxy). c) should be able to fail closed for more secure environments. d) have an effective logging system that is hard to bypass. That said, if a reverse proxy doesn't meet all of those criteria, it _might_ still be useful. Does anyone have any points to add for the minimum requirements to have an effective reverse proxy?
What about things like the cisco LocalDirector? Although I'm not quite sure whether that's a reverse proxy or a tcp load balancer :-].It's a dead product. Cisco now peddles Arrowpoint. ;-)
Ok. Rob _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY agetchel (Feb 20)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Darren Reed (Feb 20)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Ng Pheng Siong (Feb 21)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Robert Collins (Feb 25)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Ng Pheng Siong (Feb 26)
- Reversise Proxies? (was Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY) Robert Collins (Feb 26)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Robert Collins (Feb 25)
- <Possible follow-ups>
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Bill_Royds (Feb 21)
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY MONTENEGRO,FERNANDO (HP-Canada,ex1) (Feb 26)