Re: Reverse proxy versus shifting webserver to DMZ

[jean-philippe luiggi <jean-philippe.luiggi () didconcept com>]

Hello,

Beside of just comparing reverse proxy vs hardening web server, i think
the last one is a good choice because as you said, the risk to escalate
privileges is real. You too need to consider reverse proxy because one
with security features may help in protecting applications by
inspecting the requests for malicious requests.
Not saying that using such a tool likes this one may help to
concentrate all the various log in one point.

Last thing, saying a firewall hides the internal addressing is not
allways true. I know plenty of places where the internal network is
full of public IP (university, etc.) and they're protected by a
firewall.

Best regards,

Jean-philippe.


On 15 Jul 2007 12:54:05 -0000
barcajax () gmail com wrote:

> Client=>Reverse proxy (DMZ)=>Webserver (internal)
> Is a reverse proxy really that advantageous over hardening a
> webserver and shifting it to the DMZ? I read a manual from a vendor
> that states the use of a reverse proxy hides the internal addressing.
> I disagree with this statement as the firewall does that function.
> The way I see it... a reverse proxy (that is built on a different OS
> from the webserver) prevents direct attacks on the webserver. However
> if the application is vulnerable, attackers can still compromise the
> backend by targeting its application flaws. It is possible to
> escalate privileges that way. This defeats the purpose of deploying a
> reverse proxy wouldn't it?
>
>
>
>
>
> !DSPAM:1,469b9b7e201891336712104!