Greetings!
Peter Bruderer schrieb:
> One stance: To increase security some people want to put a reverse
> proxy between the browser and the webserver.
[...]
> The stance of my side: Just to increase security the additional
> reverse proxy is useless. Reason: It does no protocol conversion,
> it does no authentication. Buffer overflow attacks are not stopped
> at the reverse proxy, because it is just copying data from one socket
> to an other after decryting it. Low level IP attacks are handled by
> the firewall
...hopefully. That is highly dependant on your firewall. For a proxy-based
firewall like Raptor or TIS/Gauntlet you will be probably correct - but most
packetfilter-based firewalls (Checkpoint Firewall-1, SonicWall, *BSD and
Linux kernel filters) will not check (enough) for low-level attacks.
"Tweaked" IP packets (e.g. purposeful length mismatch) or simple protocol
misusage will not be idenified or filtered by the latter type.
So if (and only if) you have a application gateway firewall (Raptor, Gauntlet
or similar class) you are right. Else you should add a proxy to filter out
all packet-attacks and most of the simple protocol-based attacks. Of course a
firewall or proxy can never eliminate e.g. CGI-based attacks...
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
