If authenticating users is all these servers need to do then I'd approach it
differently.
Say you use a PIX, right? Just get a 3-NIC PIX, place the WWW servers in a
DMZ, then create conduits for the internal PDC and BDC for UDP port 138
(from memory - I'm pretty sure there's only one port required for
authentication traffic). This will give you some measure of protection. If
you can lock it down to one port an attacker that takes over the WWW server
will be able to try and authenticate on the internal network but shouldn't
be able to get anything much else.
You can create a variation on this if you're using 2621s, but you'd need two
of them.
The reverse proxy thing would be even better, but to make it into a "good"
architecture I'd still put the reverse proxies in a DMZ.
In short, I'd say that doing _something_ is definitely worth the hassle. You
probably don't want NT webservers sitting around in your internal network
with no protection.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Michael Nelson [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 1 July 2000 10:22 AM
> To: [EMAIL PROTECTED]
> Subject: reverse proxies
>
>
> Does anyone have any opinions or experience on the use of
> reverse proxies
> to provide external users with access to internal web sites?
>
> I've got a scenario where there are at least 2 internal NT web servers
> which need to stay on the internal network because they need to
> authenticate users against NT domain controllers in a bunch
> of different
> domains. My initial feeling was that having a reverse proxy
> would provide
> an extra layer of logging and indirection that might be
> beneficial. But I
> am starting to wonder if it is worth the hassle.
>
> The organization in question will be implementing either a Cisco 2621
> router with the FW feature set or a PIX in a NAT configuration.
>
> thx,
> -mike
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
