RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY

["MONTENEGRO,FERNANDO (HP-Canada,ex1)" <fernando_montenegro () hp com>]

Hi!

> Apart from the (imho fallacious) warm fuzzy feeling that "our real
> webserver is no longer exposed to direct attack from the 
> Internet", I don't
> see value in a reverse proxy - the reverse proxies I've seen 
> in production
> simply relay stuff back and forth.

One comment I'd like to make is that if you're using Apache as a reverse
proxy, you can base your rewriting rules on the variables present on the
HTTP header or additional server variables. This makes for an interesting
set-up, where you can restrict inbound requests based on path, size,
time/date, agent, ... The security ramifications of this are *very*
interesting: it takes a bit of work, but you can severely restrict what HTTP
requests actually make it to the internal server and what they look like.

For more details, look at the documentation for mod_rewrite, especially the
RewriteCond directive.

Hope this helps.

Cheers,
Fernando
--
Fernando S. Montenegro, CISSP  -  fernando_montenegro () hp com
DISCLAIMER: Opinions expressed above are my own and do not necessarily
reflect those of my employer.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards