Hi there
I am in a discussion about using a reverse proxy or not.
The situation: A browser connects to a webserver which transfers the
HTTP requests into SQL queries using stored procedures. The connection
from the browser to the webserver is encrypted (SSL/TLS). Between the
browser and the webserver and between the webserver and the database
server is a firewall. This firewall does IP defragmentation and acts
as a SYN proxy.
(B)+++(FW)+++(HTTPS-SQL)---(FW)---(DB)
++ = HTTPS
-- = SQL
One stance: To increase security some people want to put a reverse
proxy between the browser and the webserver. The reverse proxy
terminates the SSL connection and passes standard HTTP to the
webserver. The reason: buffer overflows are stopped at the reverse
proxy. A network based IDS can detect attacks in the datastream.
(B)+++(FW)+++(RP)...(FW)...(HTTP-SQL)---(FW)---(DB)
+++ = HTTPS
... = HTTP
--- = SQL
The stance of my side: Just to increase security the additional
reverse proxy is useless. Reason: It does no protocol conversion,
it does no authentication. Buffer overflow attacks are not stopped
at the reverse proxy, because it is just copying data from one socket
to an other after decryting it. Low level IP attacks are handled by
the firewall. Attacks in the datastream are detected in the webserver
logfiles.
>From the people wanting the additional reverse proxy I do not get any
facts. The only reason for the reverse proxy is: "I have the feeling ..."
Am I wrong? Do I overlook something? Can someone give me some facts
why the additional reverse proxy really increases security?
Thanks
Peter
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
