WebApp Sec mailing list archives
RE: Reverse Proxy Server?
From: "Harry Chemin" <hchemin () tgen org>
Date: Tue, 27 May 2003 14:32:42 -0700
I would recommend adding interfaces to your firewall so that you have both can have several demilitarized zones to serve the functional requirements you listed below. At my company, I set up Cisco PIX firewalls with a remote-access DMZ and web services DMZ. I have my VPN concentrators terminating their "inside" connection on the remote access DMZ and then I put all other servers that require access from the "untrusted" Internet onto the web services DMZ. I can control traffic for all interfaces on my firewalls with separate access-lists and perform all of my NAT from one location. Internet | | Edge Routers | | Edge Switches | | | | VPN PIX Firewalls | | | | | | | | Remote Access DMZ----- | -----Web Services DMZ | Core Network The advantages with this design as that you physically control access to all of these different networks through a single pair of firewalls. Logically, this design allows you to create different security policies for each network segment attached to the different nics on your firewalls. This design would also work with IPTables, ipchains, Checkpoint, etc. Thanks, Harry Chemin, CCNA, CISSP Senior Network Security Engineer TGen, The Translational Genomics Research Institute 400 North Fifth Street, Suite 1600 Phoenix, AZ 85004 (602)343-8461 Direct (602) 333-1212 Fax hchemin () tgen org -----Original Message----- From: Don Felgar [mailto:dfelgar () rainier-infosys com] Sent: Tuesday, May 27, 2003 9:51 AM To: Dean Thompson Cc: webappsec () securityfocus com Subject: Re: Reverse Proxy Server? On Tue, May 27, 2003, Dean Thompson wrote:
I hope this is the right place to post this... We develop numerous internal web applications that we occasionally need to publish to customers. In very sensitive scenarios, we will force them
to
use a VPN to connect. In others, we just publish a server/app beyond
the
firewall. I would like to see a solution that could handle both
scenarios
easily, and would not require that I put multiple servers or apps
outside
the firewall. My thoughts were to use something like what Anonymizer (http://www.anonymizer.com) does. Essentially, it just forwards
requests
for you, and returns the information to you. So, if someone out there
went
to http://mydomain.com and logged in, they could then go to http://mydomain.com?server=someserver (or something like that). Does anyone out there know of a tool like this that is already available?
I
would prefer a Windows platform, but 'nix is acceptable. Thanks, Dean
You can also give the webserver in question a public IP address, put it behind a firewall, and configure the firewall to allow access to the necessary IP addresses only. This will work either with or without a VPN. This has the added benefit of excluding attacks on ports 80 and/or 443, but a drawback in that you must know in advance what IP addresses to allow. If you cannot know if advance what IP addresses to let through, you can authenticate the client on a public webserver, and upon success poke a hole in the firewall for that specific IP address and then redirect the client. Incidentally a drawback to port-forwarding type schemes is that all traffic appears to originate from a single IP address from the point of view of the webserver, reducing the utility of logfiles. I don't know of Squid reverse proxy has this effect or not. Don't learn this the hard way as I did. --Don
Current thread:
- Re: Reverse Proxy Server?, (continued)
- Re: Reverse Proxy Server? Bob Lee (May 27)
- Re: Reverse Proxy Server? Stig Palmquist (May 27)
- Re: Reverse Proxy Server? Don Felgar (May 27)
- Re: Reverse Proxy Server? Bob Lee (May 27)
- Re: Reverse Proxy Server? Don Felgar (May 28)
- Re: Reverse Proxy Server? Bob Lee (May 28)
- Re: Reverse Proxy Server? Bob Lee (May 27)
- Re: Reverse Proxy Server? Dean Thompson (May 28)
- RE: Reverse Proxy Server? Dawes, Rogan (ZA - Johannesburg) (May 27)
- RE: Reverse Proxy Server? Aaron Goldsmid (May 27)
- Re: Reverse Proxy Server? Neil Kohl (May 27)
- RE: Reverse Proxy Server? Harry Chemin (May 27)