Re: Back onto reverse proxies

[ark () eltex ru]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

"stuart.flisher" <stuart.flisher () btinternet com> said :

> One of those discussions about reverse-proxies that does fit into the realm
> of security/firewalls.
>
> I have recently worked with two clients that have fronted a web server with
> a proxy server (reverse) for inbound web traffic. Not wanting to discuss SSL
> issues or load balancing issues - I ask the following:
>
> Does a reverse proxy add any value??

It depends on implementation. It can, but..

It certainly blocks tcp/ip stack-driven attacks because original packets are
not being forwarded. It _can_ block some subset of data-driven attacks under
certain conditions.
 
> Consider that the web servers are part of a larger web application
> infrastructure with app servers, db servers, etc. There is no real web
> content on the web server as all the pages are dynamic, created by the app
> server. Isn't the web server, in this environment, already acting as a kind
> of proxy?

Web server is a complex, multifunctional thing - not a security application.
 
> Can we assume that the proxy server would be subject the same type of
> attacks as the web server, especially if the web server and proxy server
> were from the same company (e.g. Netscape)? Can we assume that the proxy
> server would just pass on traffic containing attacks to the web server
> anyway? If so this is the point of my case against.

Ah, i thought you were talking about proxies designed to enforce security,
not generic speedup things like squid and Netscape. 
 
> One point mentioned in a previous reverse proxy discussion was that if the
> traffic both sides was SSL then a compromise of the server would not allow
> sniffing of the network to find sensitive data. Hey but the server is a
> proxy creating two connections decrypting inbound and then re-encrypting in
> a different session outbound. This means that the data is decrypted
> somewhere, probably in memory, allowing some clever git to read it.

Sure.
 
> A possible plus for a proxy that has inbound http/SSL and clear http to the
> backend is that IDS boxes can read the http traffic looking for attacks
> before it gets to the web server. If this is the only plus then why not use
> inline SSL termination devices (Alteon, BIG-IP, etc.) coz if your an SSL
> only site then you are going to need SSL hardware acceleration anyway. But I
> said I didn't want to get into that... :)
>
> Comments on the role of a reverse proxy in this scenario would be
> appreciated.

There is a product made by Sanctum, Inc. (www.sanctuminc.com) but i have no
personal expirience with it. 

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQCVAwUBOsHIxKH/mIJW9LeBAQEY0QP+O05mWOZCKX0PoKC8BK/f6ildjuyoAsD8
D5j9efMgAzo9zFi5NNzRAQ6aW+/Q89HHMTcjUuCczI/KqYGwYRtvg/eYAxL3iMSg
oxHI6dt+ehG0xSXByUQtdcA9noxss0o0Qd0hFy+zM4a3uHwpg3hxNvdGB2nFIvGn
BDDoYsjy7OY=
=9sQt
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards