Security Basics mailing list archives
Re: SSL VPN or reverse proxy?
From: Shailesh Rangari <shailesh.sf () gmail com>
Date: Thu, 5 Mar 2009 19:59:13 -0500
Dan,IMHO HTTP Reverse Proxy is merely an added layer we attach to achieve one of the many purposes (viz. load balancing, encryption,etc.). But to put it in security perspective, you may stop a script kiddies from attacking your web servers directly, but against a more skillful adversary you would run ut of luck sooner than later.
An SSL VPN is comparatively more secure vis-a-vis HTTP Reverse Proxy. But I have to add a caveat to the earlier sentence owing to some of the issues you should be aware of pertaining to SSL implementation. SSL v2 is well known for a number of flaws. SSL v3 / TLS has rectified most of them and is considered much secure than its v2 counterpart. SSL implementation can also lead to its set of problems (e.g the notorious OpenSSL implementation).
The more prominent attacks against SSL have been the ones that involve version rollback, cipher suite rollback, RSA blinding to name a few. A good understanding of the protocol, a water tight implementation and a set of comprehensive security policies covering your implementation should help in keeping the threats to a manageable level.
Regards, Shailesh On Mar 5, 2009, at 6:03 PM, Dan Lynch wrote:
From a security perspective, when placed front ending an intranet web server that itself is SSL-enabled, is there any difference between an SSL VPN appliance, and a simple HTTP reverse proxy that performs authentication? Is there some class of threat that is addressed better by the SSL VPN, or not at all by the reverse proxy? Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- SSL VPN or reverse proxy? Dan Lynch (Mar 05)
- Re: SSL VPN or reverse proxy? Jared Curtis (Mar 06)
- AW: SSL VPN or reverse proxy? Horst Moll (Mar 09)
- Re: SSL VPN or reverse proxy? Shailesh Rangari (Mar 06)
- Re: SSL VPN or reverse proxy? Jared Curtis (Mar 06)