Firewall Wizards mailing list archives

Re: Next Generation Security Architecture

From: Brian Ford <brford () cisco com>
Date: Mon, 26 Feb 2001 17:50:17 -0500

Ng,

> What about things like the cisco
> LocalDirector? Although I'm not quite sure whether that's a reverse
> proxy or a tcp load balancer :-].

It's a dead product. Cisco now peddles Arrowpoint. ;-)


Buzzzz.  Sorry. Wrong answer.

We still sell LocalDirector (the load balancer) as a Enterpriseproduct. Not everyone needs multi GigE feeds and speeds of the CSSswitches (darn!).


Regarding

> AFAIK some of the commercial reverse proxies will perform authentication
> on behalf of the webserver.

and

Apart from the (imho fallacious) warm fuzzy feeling that "our real
webserver is no longer exposed to direct attack from the Internet", I don't
see value in a reverse proxy

Wouldn't the addition remove some of the load from the server. I know itdoes from mine. I use the Cut-through proxy in the PIX to authenticateusers looking at my server (on the Cisco intranet).


Regards,

Brian

Date: Mon, 26 Feb 2001 23:11:20 +0800
From: Ng Pheng Siong <ngps () post1 com>
To: Robert Collins <robert.collins () itdomain com au>
Cc: firewall-wizards () nfr net

Subject: Re: [fw-wiz] Next Generation Security Architecture - TO MODERATOR- CORRECTED COPY

On Thu, Feb 22, 2001 at 08:20:47AM +1100, Robert Collins wrote:
> From: "Ng Pheng Siong" <ngps () post1 com>
> > Reverse proxies break X.509 cert-based client authentication.
>
> I don't believe there's any protocol level reason why the reverse proxy
> cannot perform the X.509 certificate authentication itself. Certainly
> the web server AND the reverse proxy cannot both perform that
> authentication.

You're right on both counts.

> AFAIK some of the commercial reverse proxies will perform authentication
> on behalf of the webserver.

Then the reverse proxy is really telling the webserver "trust me" when
communicating the identity of the client.

Apart from the (imho fallacious) warm fuzzy feeling that "our real
webserver is no longer exposed to direct attack from the Internet", I don't
see value in a reverse proxy - the reverse proxies I've seen in production
simply relay stuff back and forth.

> What about things like the cisco
> LocalDirector? Although I'm not quite sure whether that's a reverse
> proxy or a tcp load balancer :-].

It's a dead product. Cisco now peddles Arrowpoint. ;-)

--
Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Next Generation Security Architecture, (continued)
- - - Re: Next Generation Security Architecture Lance Spitzner (Feb 16)
    - Re: Next Generation Security Architecture bacano (Feb 20)
- RE: Next Generation Security Architecture Nigel Willson (Feb 17)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
  - RE: Next Generation Security Architecture David Lang (Feb 20)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
  - Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
    - Re: Next Generation Security Architecture Brian Ford (Feb 27)
  - Re: Next Generation Security Architecture John Adams (Feb 27)
    - Re: Next Generation Security Architecture Brian Ford (Feb 27)