Firewall Wizards mailing list archives

RE: Reversise Proxies?

From: "Robert Collins" <robert.collins () itdomain com au>
Date: Mon, 5 Mar 2001 09:37:23 +1100

Thank you,
        I'm not currently in the market for a reverse proxy, which is
why I did not talk about specific products, but instead tried to clarify
what a product needs to be a worthwhile reverse proxy. It does sound
like your product would be worth investigating for new sites. 

On the more general side, I have not done a market review for some time
- on the commercial side the air-gap appliance was touted as having a
similar set of functionality. The Novell NCS suite, and the MS ISA
products seem a little below the functionality barrier from what I've
seen. On the free software side, both apache, with mod_rewrite (already
mentioned) and squid (not mentioned so far) have the capability to
perform fine grained access checks. I'm not aware of any other free
software packages aimed at http reverse proxying, with the fine grained
control we're talking about.

In my view one significant benefit of a roll-your-own environment is the
flexability to quickly add protection against new web server attacks.
        - Does your product allow that? or do you require the users to
wait for patchs?


Does anyone know of any other commercial reverse proxies along similar
lines? Are there existing market reviews? I'd be willing to do a review
if there is significant interest among the list readers. (please mail me
direct regarding that so as not to flood the list).

Rob

-----Original Message-----
From: SecurityForums [mailto:SecurityForums () sanctuminc com]
Sent: Sunday, March 04, 2001 11:43 PM
To: Robert Collins
Cc: firewall-wizards () nfr com
Subject: RE: Reversise Proxies? (was Re: [fw-wiz] Next Generation
Security Architecture - TO MODERATOR - CORRECTED COPY)

Dear Sir,

The features you relate to in your discussion of reverse 
proxy are already
implemented in a commercially available product. This product
is a reverse proxy that protects the HTTP layer and the 
application layer
(logic) of a web-site. It protects against, among other things:

- web-server specific attacks (Unicode, ::$DATA, double-dots, forceful
browsing, directory listing, etc.)

- buffer overflows of various kinds (in the URL/query, in 
HTTP fields, and
even more importantly, in HTML form fields!)

- breaching the application logic - if you're not allowed to 
access a URL,
then you can't, and if a script expects its parameters in a 
certian format,
it will be enforced. This includes enforcing consistency of hidden
parameters.

- cookie poisoning - cookies sent to the client are not 
allowed to change.

It also does an excessive logging of each request.

The product name is AppShield, by Sanctum Inc. 
(http://www.sanctuminc.com)

If you need further assistance, please call us.

Thanks,

Security Forums Group
Sanctum Inc
Tel: 408 855 9500 x206
email: securityforums () sanctuminc com
www.sanctuminc.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Reversise Proxies? Robert Collins (Mar 05)
- Re: RE: Reversise Proxies? Balazs Scheidler (Mar 14)
- <Possible follow-ups>
- RE: RE: Reversise Proxies? SecurityForums (Mar 11)