RE: Back onto reverse proxies

["stuart.flisher" <stuart.flisher () btinternet com>]

> > sniffing of the network to find sensitive data. Hey but the
> > server is a
> > proxy creating two connections decrypting inbound and then
> > re-encrypting in
> > a different session outbound. This means that the data is decrypted
> > somewhere, probably in memory, allowing some clever git to read it.
>
> Uh...no. Proxy servers do not and cannot decrypt / re-encrypt SSL traffic.

> > Sure they can- (a) they can act as the end server, present a valid
> > certificate and then go do an SSL session for outbound

I agree with this. Look at Apache with mod_proxy it does exactly this. It is
used for one of the customers that I have come across. The proxy has a cert
for the main dns name. The web server has a different cert. The proxy
becomes an SSL client to the web server. Maybe I would opt to not to have
SSL out the backend for performance reasons.

> > (I've actually advocated this for some environments- it adds the ability
to do
> > ActiveX/VBS/Java stripping for instance- and if you own DNS or force
> > proxy usage, it's pretty easy.)

I like that (one I didn't think of). What product will do that?

> > A possible plus for a proxy that has inbound http/SSL and
> > clear http to the
> > backend is that IDS boxes can read the http traffic looking
> > for attacks
> [...]
>
> That sort of proxy would be an SSL accelerator. It would almost never be

> > Technically, it's only an SSL accelerator if it does fast crypto- a
config
> > of mod_rewrite would do the same thing without any accelleration- in fact
> > it'd probably slow things down.

I agree. Accelerators don't proxy (strictly speaking). Accelerators are
cards in the server or cards in a switch (BIG-IP F5, Alteon, Hyperflow,
(ServerIron's eventually I am told :) ).

Regards

Stuart


























_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards