Firewall Wizards mailing list archives
Back onto reverse proxies
From: "stuart.flisher" <stuart.flisher () btinternet com>
Date: Mon, 26 Mar 2001 13:29:17 +0100
One of those discussions about reverse-proxies that does fit into the realm of security/firewalls. I have recently worked with two clients that have fronted a web server with a proxy server (reverse) for inbound web traffic. Not wanting to discuss SSL issues or load balancing issues - I ask the following: Does a reverse proxy add any value?? Consider that the web servers are part of a larger web application infrastructure with app servers, db servers, etc. There is no real web content on the web server as all the pages are dynamic, created by the app server. Isn't the web server, in this environment, already acting as a kind of proxy? Can we assume that the proxy server would be subject the same type of attacks as the web server, especially if the web server and proxy server were from the same company (e.g. Netscape)? Can we assume that the proxy server would just pass on traffic containing attacks to the web server anyway? If so this is the point of my case against. One point mentioned in a previous reverse proxy discussion was that if the traffic both sides was SSL then a compromise of the server would not allow sniffing of the network to find sensitive data. Hey but the server is a proxy creating two connections decrypting inbound and then re-encrypting in a different session outbound. This means that the data is decrypted somewhere, probably in memory, allowing some clever git to read it. A possible plus for a proxy that has inbound http/SSL and clear http to the backend is that IDS boxes can read the http traffic looking for attacks before it gets to the web server. If this is the only plus then why not use inline SSL termination devices (Alteon, BIG-IP, etc.) coz if your an SSL only site then you are going to need SSL hardware acceleration anyway. But I said I didn't want to get into that... :) Comments on the role of a reverse proxy in this scenario would be appreciated. Regards Stuart p.s. I have a security company in Dubai. If anyone good wants a job then let me know ;) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Back onto reverse proxies stuart.flisher (Mar 27)
- <Possible follow-ups>
- RE: Back onto reverse proxies Ben Nagy (Mar 28)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- RE: Back onto reverse proxies stuart.flisher (Mar 29)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- Re: Back onto reverse proxies ark (Mar 28)