Firewall Wizards mailing list archives
RE: Reversise Proxies?
From: "Robert Collins" <robert.collins () itdomain com au>
Date: Mon, 5 Mar 2001 09:37:23 +1100
Thank you, I'm not currently in the market for a reverse proxy, which is why I did not talk about specific products, but instead tried to clarify what a product needs to be a worthwhile reverse proxy. It does sound like your product would be worth investigating for new sites. On the more general side, I have not done a market review for some time - on the commercial side the air-gap appliance was touted as having a similar set of functionality. The Novell NCS suite, and the MS ISA products seem a little below the functionality barrier from what I've seen. On the free software side, both apache, with mod_rewrite (already mentioned) and squid (not mentioned so far) have the capability to perform fine grained access checks. I'm not aware of any other free software packages aimed at http reverse proxying, with the fine grained control we're talking about. In my view one significant benefit of a roll-your-own environment is the flexability to quickly add protection against new web server attacks. - Does your product allow that? or do you require the users to wait for patchs? Does anyone know of any other commercial reverse proxies along similar lines? Are there existing market reviews? I'd be willing to do a review if there is significant interest among the list readers. (please mail me direct regarding that so as not to flood the list). Rob
-----Original Message----- From: SecurityForums [mailto:SecurityForums () sanctuminc com] Sent: Sunday, March 04, 2001 11:43 PM To: Robert Collins Cc: firewall-wizards () nfr com Subject: RE: Reversise Proxies? (was Re: [fw-wiz] Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY) Dear Sir, The features you relate to in your discussion of reverse proxy are already implemented in a commercially available product. This product is a reverse proxy that protects the HTTP layer and the application layer (logic) of a web-site. It protects against, among other things: - web-server specific attacks (Unicode, ::$DATA, double-dots, forceful browsing, directory listing, etc.) - buffer overflows of various kinds (in the URL/query, in HTTP fields, and even more importantly, in HTML form fields!) - breaching the application logic - if you're not allowed to access a URL, then you can't, and if a script expects its parameters in a certian format, it will be enforced. This includes enforcing consistency of hidden parameters. - cookie poisoning - cookies sent to the client are not allowed to change. It also does an excessive logging of each request. The product name is AppShield, by Sanctum Inc. (http://www.sanctuminc.com) If you need further assistance, please call us. Thanks, Security Forums Group Sanctum Inc Tel: 408 855 9500 x206 email: securityforums () sanctuminc com www.sanctuminc.com
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Reversise Proxies? Robert Collins (Mar 05)
- Re: RE: Reversise Proxies? Balazs Scheidler (Mar 14)
- <Possible follow-ups>
- RE: RE: Reversise Proxies? SecurityForums (Mar 11)