Hi
Or you can use an SSL accelerator box, so that you have HTTP between the SSL
box and the webserver and HTTPS between the browser and the SSL box, in this
way you can use an IDS like Snort on the HTTP segment and this would be a
security increase.
And it's also better for the performance and for the load on the webserver.
Erwin
-----Original Message-----
From: Volker Tanger [mailto:[EMAIL PROTECTED]]
Sent: donderdag 15 februari 2001 13:06
To: Peter Bruderer
Cc: [EMAIL PROTECTED]
Subject: Re: Reverse proxy
Greetings!
Peter Bruderer schrieb:
> One stance: To increase security some people want to put a reverse
> proxy between the browser and the webserver.
[...]
> The stance of my side: Just to increase security the additional
> reverse proxy is useless. Reason: It does no protocol conversion,
> it does no authentication. Buffer overflow attacks are not stopped
> at the reverse proxy, because it is just copying data from one socket
> to an other after decryting it. Low level IP attacks are handled by
> the firewall
...hopefully. That is highly dependant on your firewall. For a proxy-based
firewall like Raptor or TIS/Gauntlet you will be probably correct - but most
packetfilter-based firewalls (Checkpoint Firewall-1, SonicWall, *BSD and
Linux kernel filters) will not check (enough) for low-level attacks.
"Tweaked" IP packets (e.g. purposeful length mismatch) or simple protocol
misusage will not be idenified or filtered by the latter type.
So if (and only if) you have a application gateway firewall (Raptor,
Gauntlet
or similar class) you are right. Else you should add a proxy to filter out
all packet-attacks and most of the simple protocol-based attacks. Of course
a
firewall or proxy can never eliminate e.g. CGI-based attacks...
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
