On Thu, 27 Jan 2000, Micheal Espinola Jr wrote:
> Greetings,
>
> I believe I have an adequate understanding of how proxy works and why it is
> beneficial to implement into ones network security solution.
>
> But, I have been unable to find a good source on the benefits of and
> practical implementations of a reverse proxy. I have bee told by "security
> consultants" that my network should have a reverse proxy, but are unable to
> give me a clearly defined answer as to why. (personally, I think the people
> I have been dealing with are just security salesmen, and don't really know
> what the hell they are techno-babbling about).
I have implemented "reverse proxies" and "dual reverse proxies" for various
customers. Whether a simple "reverse proxy" or a "dual reverse proxy" was
used depended on whether or not the customer "owned" and "managed" the
existing firewall or the customer's paranoia.
The reasons for using a reverse proxy vary but with my customers the reasons
boil down to cost avoidance and sensitivity of the data. From a cost
avoidance perspective, it eliminates the non-recurring costs to stand up a
"throw away" system that is exposed to the Internet and the recurring costs
of updating the data on the "throw away" system and the management of the
system.
>From a data sensitivity perspective, it allows the data to be encrypted as
it traverses the public Internet and allows different access control methods
to be used for external and internal users of the data.
Whether using a single or dual reverse proxy, the Web server containing the
content is hidden behind the firewall or several firewalls and cannot be
directly accessed from the Internet. In the dual reverse proxy scenario,
there is an external reverse proxy that the Internet user accesses and an
internal reverse proxy that retrieves the data from the actual Web
server. The firewall only needs to allow a single port to be opened between
the external and internal proxies.
>From a cost avoidance perspective, all of the internal Web servers have a
"virtual host" on the reverse proxy exposed to the Internet. On a medium
sized site, you eliminate the cost of 60 or so server-grade "throw away"
systems sitting on your external LAN. As many of these may be nothing more
than web interfaces to databases hosted on other systems, you eliminate the
cost of duplicating the database systems as well.
In a dual reverse proxy configuration, the external reverse proxy is,
itself, a throw-away system. In the single reverse proxy, the proxy is
configured as a firewall. It is NOT the general purpose firewall used by
internal users to access the Internet. In the latter case, you get the side
benefit of removing the load of traffic passing through the firewall.
Also, if you are encrypting the traffic to the user you eliminate the
compute-bound encryption/decryption processing from the firewall.
> Could someone give me a point of reference to perform further research,
> and/or give me a basic overview of its practical application?
>
> Many thanks,
>
Merton Campbell Crockett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
