Reverse-proxy situations are not good architectures because they
essentially allow users to connect directly to internal hosts. Users then
bypass the DMZ-type network entirely so if the webserver they are
accessing gets compromised, it's game over--the attacker is now not
confined to a DMZ-type network but is on your internal LAN! Fun, fun,
fun.
See the February 1999 firewall-wizards mailing list for some good
discussion of this topic.
http://www.nfr.net/firewall-wizards/mail-archive/1999/Feb
-Jason
On Tue, 18 May 1999, christian ALT (span) wrote:
> Date: Tue, 18 May 1999 15:41:03 +0200
> From: "christian ALT (span)" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Reverse proxy
>
[NON-Text Body part not included]
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
