Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 050750.html (Request Expert securityfocus.com Support)

RE: Reverse Proxy Server?

From: Harry Chemin <hchemin(at)tgen.org>
Date: Tue May 27 2003 - 17:32:42 EDT


I would recommend adding interfaces to your firewall so that you have both can have several demilitarized zones to serve the functional requirements you listed below. At my company, I set up Cisco PIX firewalls with a remote-access DMZ and web services DMZ. I have my VPN concentrators terminating their "inside" connection on the remote access DMZ and then I put all other servers that require access from the "untrusted" Internet onto the web services DMZ. I can control traffic for all interfaces on my firewalls with separate access-lists and perform all of my NAT from one location.   

                        Internet
                           |
                           |
                       Edge Routers
                           |
                           |
                       Edge Switches
                        |        |
                        |        |
                       VPN    PIX Firewalls
                        |      |   |      |
                        |      |   |      |
          Remote Access DMZ-----   |      -----Web Services DMZ  
                                   |
                                 Core
                                 Network

The advantages with this design as that you physically control access to all of these different networks through a single pair of firewalls. Logically, this design allows you to create different security policies for each network segment attached to the different nics on your firewalls. This design would also work with IPTables, ipchains, Checkpoint, etc.

Thanks,

Harry Chemin, CCNA, CISSP
Senior Network Security Engineer
TGen, The Translational
Genomics Research Institute
400 North Fifth Street, Suite 1600
Phoenix, AZ 85004
(602)343-8461 Direct
(602) 333-1212 Fax
hchemin@tgen.org

-----Original Message-----
From: Don Felgar [mailto:dfelgar@rainier-infosys.com] Sent: Tuesday, May 27, 2003 9:51 AM
To: Dean Thompson
Cc: webappsec@securityfocus.com
Subject: Re: Reverse Proxy Server?

On Tue, May 27, 2003, Dean Thompson wrote:
> I hope this is the right place to post this...
to
> use a VPN to connect. In others, we just publish a server/app beyond
the
> firewall. I would like to see a solution that could handle both
scenarios
> easily, and would not require that I put multiple servers or apps
outside
> the firewall.
requests
> for you, and returns the information to you. So, if someone out there
went
> to http://mydomain.com and logged in, they could then go to
I
> would prefer a Windows platform, but 'nix is acceptable.

You can also give the webserver in question a public IP address, put it behind a firewall, and configure the firewall to allow access to the necessary IP addresses only. This will work either with or without a VPN. This has the added benefit of excluding attacks on ports 80 and/or 443, but a drawback in that you must know in advance what IP addresses to allow.

If you cannot know if advance what IP addresses to let through, you can authenticate the client on a public webserver, and upon success poke a hole in the firewall for that specific IP address and then redirect the client.

Do you need help?X

Incidentally a drawback to port-forwarding type schemes is that all traffic appears to originate from a single IP address from the point of view of the webserver, reducing the utility of logfiles. I don't know of Squid reverse proxy has this effect or not. Don't learn this the hard way as I did.

--Don Received on Tue May 27 18:09:55 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:51 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library