Uhh...you've lost me.
I mean I'm happy to agree that any external access to devices that are on
the inside LAN is not ideal, but why is it that a reverse proxy "allows
users to connect directly to internal hosts"? Isn't this a little bit like
the question we had before where the design was to use DMZ WWW proxies to
access a database farm (which you obviously don't want in the DMZ)?
At the end of the day, if there is a reason that you need to keep that
webserver inside your LAN (maybe because it has other services open, or
because it is set up so that local users can modify it with another TCP
based service) then IMO a reverse proxy is a pretty reasonable way to do
things.
Couldn't find the thread you referenced, BTW. Mebbe you could fwd it to me
offline?
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Jason Axley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 19, 1999 12:23 AM
To: christian ALT (span)
Cc: [EMAIL PROTECTED]
Subject: Re: Reverse proxy
Reverse-proxy situations are not good architectures because they
essentially allow users to connect directly to internal hosts. Users then
bypass the DMZ-type network entirely so if the webserver they are
accessing gets compromised, it's game over--the attacker is now not
confined to a DMZ-type network but is on your internal LAN! Fun, fun,
fun.
See the February 1999 firewall-wizards mailing list for some good
discussion of this topic.
http://www.nfr.net/firewall-wizards/mail-archive/1999/Feb
-Jason
On Tue, 18 May 1999, christian ALT (span) wrote:
> Date: Tue, 18 May 1999 15:41:03 +0200
> From: "christian ALT (span)" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Reverse proxy
>
[NON-Text Body part not included]
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
