Firewall Wizards mailing list archives
Re: Back onto reverse proxies
From: ark () eltex ru
Date: Wed, 28 Mar 2001 15:19:34 +0400
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, "stuart.flisher" <stuart.flisher () btinternet com> said :
One of those discussions about reverse-proxies that does fit into the realm of security/firewalls. I have recently worked with two clients that have fronted a web server with a proxy server (reverse) for inbound web traffic. Not wanting to discuss SSL issues or load balancing issues - I ask the following: Does a reverse proxy add any value??
It depends on implementation. It can, but.. It certainly blocks tcp/ip stack-driven attacks because original packets are not being forwarded. It _can_ block some subset of data-driven attacks under certain conditions.
Consider that the web servers are part of a larger web application infrastructure with app servers, db servers, etc. There is no real web content on the web server as all the pages are dynamic, created by the app server. Isn't the web server, in this environment, already acting as a kind of proxy?
Web server is a complex, multifunctional thing - not a security application.
Can we assume that the proxy server would be subject the same type of attacks as the web server, especially if the web server and proxy server were from the same company (e.g. Netscape)? Can we assume that the proxy server would just pass on traffic containing attacks to the web server anyway? If so this is the point of my case against.
Ah, i thought you were talking about proxies designed to enforce security, not generic speedup things like squid and Netscape.
One point mentioned in a previous reverse proxy discussion was that if the traffic both sides was SSL then a compromise of the server would not allow sniffing of the network to find sensitive data. Hey but the server is a proxy creating two connections decrypting inbound and then re-encrypting in a different session outbound. This means that the data is decrypted somewhere, probably in memory, allowing some clever git to read it.
Sure.
A possible plus for a proxy that has inbound http/SSL and clear http to the backend is that IDS boxes can read the http traffic looking for attacks before it gets to the web server. If this is the only plus then why not use inline SSL termination devices (Alteon, BIG-IP, etc.) coz if your an SSL only site then you are going to need SSL hardware acceleration anyway. But I said I didn't want to get into that... :) Comments on the role of a reverse proxy in this scenario would be appreciated.
There is a product made by Sanctum, Inc. (www.sanctuminc.com) but i have no personal expirience with it. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOsHIxKH/mIJW9LeBAQEY0QP+O05mWOZCKX0PoKC8BK/f6ildjuyoAsD8 D5j9efMgAzo9zFi5NNzRAQ6aW+/Q89HHMTcjUuCczI/KqYGwYRtvg/eYAxL3iMSg oxHI6dt+ehG0xSXByUQtdcA9noxss0o0Qd0hFy+zM4a3uHwpg3hxNvdGB2nFIvGn BDDoYsjy7OY= =9sQt -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Back onto reverse proxies stuart.flisher (Mar 27)
- <Possible follow-ups>
- RE: Back onto reverse proxies Ben Nagy (Mar 28)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- RE: Back onto reverse proxies stuart.flisher (Mar 29)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- Re: Back onto reverse proxies ark (Mar 28)