RE: Back onto reverse proxies

[Ben Nagy <ben.nagy () marconi com au>]

> -----Original Message-----
> From: stuart.flisher [mailto:stuart.flisher () btinternet com]
> Sent: Monday, March 26, 2001 10:29 PM
> To: firewall-wizards () nfr net; firewall-wizards () nfr com
> Subject: [fw-wiz] Back onto reverse proxies
> [...]
> I have recently worked with two clients that have fronted a 
> web server with
> a proxy server (reverse) for inbound web traffic. Not wanting 
> to discuss SSL
> issues or load balancing issues - I ask the following:
>
> Does a reverse proxy add any value??

Not usually. They can sometimes catch layer 1-4 attacks, which is good if
you have a firewall that doesn't already do that.

> Consider that the web servers are part of a larger web application
> infrastructure with app servers, db servers, etc. There is no real web
> content on the web server as all the pages are dynamic, 
> created by the app
> server. Isn't the web server, in this environment, already 
> acting as a kind
> of proxy?

If only that were true! Wouldn't it be great if everyone designed their B2B
app servers so that they didn't store any important data on the server
itself?
[...]
> One point mentioned in a previous reverse proxy discussion 
> was that if the
> traffic both sides was SSL then a compromise of the server 
> would not allow
> sniffing of the network to find sensitive data. Hey but the 
> server is a
> proxy creating two connections decrypting inbound and then 
> re-encrypting in
> a different session outbound. This means that the data is decrypted
> somewhere, probably in memory, allowing some clever git to read it.

Uh...no. Proxy servers do not and cannot decrypt / re-encrypt SSL traffic.
If they did it would be bad. SSL accelerators, on the other hand, basically
pretend to be the end server but provide their own cert. However, they don't
usually re-encrypt the traffic and send it on though - that would defeat the
whole purpose of SSL accelerators.

> A possible plus for a proxy that has inbound http/SSL and 
> clear http to the
> backend is that IDS boxes can read the http traffic looking 
> for attacks
[...]

That sort of proxy would be an SSL accelerator. It would almost never be
performance-effective to do SSL offload with 'normal' WWW server hardware.
You mentioned SSL accelerators - they do that, but they don't normally do
IDS. So, one advantage of having SSL accelerators is that you can put NIDS
systems behind them, yes.

> Comments on the role of a reverse proxy in this scenario would be
> appreciated.

My personal opinion is fairly aligned with yours. Reverse proxies provide
only a marginal security win, unless you have a useless firewall.

> Regards
>
> Stuart

Cheers,

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards