On Wed, 12 Jul 2000, Mikael Olsson wrote:
> This works just fine, but there is one small problem that usually
> proves to be a huge problem in organizations with many
> users. (Why do users always have to screw up our good ideas?) --
> how do you authenticate to the reverse proxy?
>
> Or, rather, from where does the reverse proxy get its user database?
>
> Of course, you could just skip authentication at the reverse
> proxy and let the OWA handle that, but if that's the case, I don't
> really see the point? As I pointed out in some other thread,
> the problem here isn't really HTTP headers, so I'm not sure how
> much more security the proxy will buy if we don't use it to
> sort out the bad guys before letting people on to the OWA.
...and it should be pointed out that the implicit assumption here is that
it is possible to trust all authenticated users. Requiring secureID would
help to ensure that nobody has shoulder surfed or guessed someone's
password (because in that case, the authenticated user is not necessarily
the real user you "trust"). That's the big hole with reverse
proxies--that even though you've authenticated users, the architecture
could still allow those users to do bad things and the proxy will happily
facilitate that. Netscape web server buffer overflow, anyone?
-Jason
#include <std_disclaimer.h>
--
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
