Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY

["Robert Collins" <robert.collins () itdomain com au>]

----- Original Message -----
From: "Ng Pheng Siong" <ngps () post1 com>
To: <agetchel () kde state ky us>
Cc: <darrenr () reed wattle id au>; <firewall-wizards () nfr net>
Sent: Thursday, February 22, 2001 3:27 AM
Subject: Re: [fw-wiz] Next Generation Security Architecture - TO
MODERATOR - CORRECTED COPY


> On Tue, Feb 20, 2001 at 04:33:02PM -0500, agetchel () kde state ky us
wrote:
> > you need to think about patching your boxes and using
> > a reverse application proxy that can detect attacks which may be
used in the
> > defacement process (such as Unicode attacks or, like I mentioned
above,
> > buffer overflow attacks).
>
> Reverse proxies break X.509 cert-based client authentication.
>
> --
> Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps

I don't believe there's any protocol level reason why the reverse proxy
cannot perform the X.509 certificate authentication itself. Certainly
the web server AND the reverse proxy cannot both perform that
authentication.

AFAIK some of the commercial reverse proxies will perform authentication
on behalf of the webserver. What about things like the cisco
LocalDirector? Although I'm not quite sure whether that's a reverse
proxy or a tcp load balancer :-].

Rob

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards