RE: Reverse Proxy Server?

["Harry Chemin" <hchemin () tgen org>]

I would recommend adding interfaces to your firewall so that you have
both can have several demilitarized zones to serve the functional
requirements you listed below.  At my company, I set up Cisco PIX
firewalls with a remote-access DMZ and web services DMZ.  I have my VPN
concentrators terminating their "inside" connection on the remote access
DMZ and then I put all other servers that require access from the
"untrusted" Internet onto the web services DMZ.  I can control traffic
for all interfaces on my firewalls with separate access-lists and
perform all of my NAT from one location.  
 
                        Internet
                           |
                           |
                       Edge Routers
                           |
                           |
                       Edge Switches
                        |        |
                        |        |
                       VPN    PIX Firewalls
                        |      |   |      |
                        |      |   |      |
          Remote Access DMZ-----   |      -----Web Services DMZ  
                                   |
                                 Core
                                 Network

The advantages with this design as that you physically control access to
all of these different networks through a single pair of firewalls.
Logically, this design allows you to create different security policies
for each network segment attached to the different nics on your
firewalls.  This design would also work with IPTables, ipchains,
Checkpoint, etc.

Thanks,


Harry Chemin, CCNA, CISSP
Senior Network Security Engineer
TGen, The Translational 
Genomics Research Institute
400 North Fifth Street, Suite 1600
Phoenix, AZ 85004
(602)343-8461 Direct
(602) 333-1212 Fax
hchemin () tgen org

-----Original Message-----
From: Don Felgar [mailto:dfelgar () rainier-infosys com] 
Sent: Tuesday, May 27, 2003 9:51 AM
To: Dean Thompson
Cc: webappsec () securityfocus com
Subject: Re: Reverse Proxy Server?


On Tue, May 27, 2003, Dean Thompson wrote:
> I hope this is the right place to post this...
>
> We develop numerous internal web applications that we occasionally 
> need to
> publish to customers.  In very sensitive scenarios, we will force them
to 
> use a VPN to connect.  In others, we just publish a server/app beyond
the 
> firewall.  I would like to see a solution that could handle both
scenarios 
> easily, and would not require that I put multiple servers or apps
outside 
> the firewall.
>
> My thoughts were to use something like what Anonymizer
> (http://www.anonymizer.com) does.  Essentially, it just forwards
requests 
> for you, and returns the information to you.  So, if someone out there
went 
> to http://mydomain.com and logged in, they could then go to 
> http://mydomain.com?server=someserver (or something like that).  Does 
> anyone out there know of a tool like this that is already available?
I 
> would prefer a Windows platform, but 'nix is acceptable.
>
> Thanks,
> Dean

You can also give the webserver in question a public IP address, put it
behind a firewall, and configure the firewall to allow access to the
necessary IP addresses only.  This will work either with or without a
VPN.  This has the added benefit of excluding attacks on ports 80 and/or
443, but a drawback in that you must know in advance what IP addresses
to allow.

If you cannot know if advance what IP addresses to let through, you can
authenticate the client on a public webserver, and upon success poke a
hole in the firewall for that specific IP address and then redirect the
client.

Incidentally a drawback to port-forwarding type schemes is that all
traffic appears to originate from a single IP address from the point of
view of the webserver, reducing the utility of logfiles.  I don't know
of Squid reverse proxy has this effect or not.  Don't learn this the
hard way as I did.

--Don