On Sat, 13 Feb 1999, Bernd Eckenfels wrote:
> > How do you do authentication between the client and the real server?
>
> You dont.
Theoretically you could write a application level "proxy" and still have
authentication between the client and the real server. But this would be
almost useless and I've never seen it. You need to decrypt the octet
stream at the proxy, do the security enforcement, and if everythink fits,
forward the still encrypted stream buffer to the server. This has many
vulnerabilities, you need the server key (it's not limited to SSL...) on
the firewall to decrypt the stream. You also don't know the relationship
between the decrypted requests and the encrypted buffer.
> You authenticate with the Endpoint of the Connection, the
> Reverse-Proxy. Reverse-Proxies are not HTTP Proxies but simple Port
> Forwarders or application level filters.
If you use a port forwarder (or TCP-level proxy or however you call
it) you have a security context between the client and the real server,
not between the client and the forwarder, the endpoint of the TCP
connect.
Rudi
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
