Security Basics mailing list archives
Re: Reverse proxy versus shifting webserver to DMZ
From: jean-philippe luiggi <jean-philippe.luiggi () didconcept com>
Date: Mon, 16 Jul 2007 18:39:50 -0400
Hello, Beside of just comparing reverse proxy vs hardening web server, i think the last one is a good choice because as you said, the risk to escalate privileges is real. You too need to consider reverse proxy because one with security features may help in protecting applications by inspecting the requests for malicious requests. Not saying that using such a tool likes this one may help to concentrate all the various log in one point. Last thing, saying a firewall hides the internal addressing is not allways true. I know plenty of places where the internal network is full of public IP (university, etc.) and they're protected by a firewall. Best regards, Jean-philippe. On 15 Jul 2007 12:54:05 -0000 barcajax () gmail com wrote:
Client=>Reverse proxy (DMZ)=>Webserver (internal) Is a reverse proxy really that advantageous over hardening a webserver and shifting it to the DMZ? I read a manual from a vendor that states the use of a reverse proxy hides the internal addressing. I disagree with this statement as the firewall does that function. The way I see it... a reverse proxy (that is built on a different OS from the webserver) prevents direct attacks on the webserver. However if the application is vulnerable, attackers can still compromise the backend by targeting its application flaws. It is possible to escalate privileges that way. This defeats the purpose of deploying a reverse proxy wouldn't it? !DSPAM:1,469b9b7e201891336712104!
Current thread:
- Reverse proxy versus shifting webserver to DMZ barcajax (Jul 16)
- Re: Reverse proxy versus shifting webserver to DMZ jean-philippe luiggi (Jul 17)
- Re: Reverse proxy versus shifting webserver to DMZ MaddHatter (Jul 17)