Jason Axley wrote:
>
> Sorry--one month off. It's in the _January_ archives:
> http://www.nfr.net/firewall-wizards/mail-archive/1999/Jan/
>
> A web proxy server facilitates a direct connection between a user and the
> end system--it passes whatever data the user gives it to the back-end
What you describe is true only to a certain extent. The
proxy module on Apache does not "directly" pass on a request
when reverse proxying. It first must process that request.
If there were a buffer overflow being utilized, it must first
make it though the proxy processing the request before it can
do any harm.
One of the fundamental benefits of this architecture is that
the internal server is not susceptible to arbitrary packets
sent by an attacker. Only attacks that results in "correct"
requests to be forwarded can do any harm, and this will narrow
a hackers field considerably.
I believe that reverse proxying services is fairly safe in general
as long as the proxy is not simply forwarding arbitrary packets
internally. This architecture is consistent with a DMZ bastion host
strategy.
Your example about passing buckets of water and motor oil are fine,
but are incomplete. What if you pass on hot coals? Those would be
dropped and not forwarded on. I see what you mean, in that reverse proxy
architecture is not foolproof, but sometimes better than the alternative,
like giving DMZ hosts access to internal databases.
If your opinion is correct, then there's little hope, as most services
are "securely" run when proxied, like outbound DNS, inbound SMTP, etc.
--Joshua
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
