Penetration Testing mailing list archives
Re: Opinions on Security of Reverse Proxy
From: Bennett Todd <bet () rahul net>
Date: Fri, 28 Jun 2002 10:42:53 -0400
2002-06-25-11:50:46 Andrews, Ryan:
Here's a question for those conducting pen tests against reverse proxies: what are your opinions of reverse proxies?
Let's make sure we're talking about the same thing: a "reverse proxy" is just a proxy fronting a server, where all clients talk to the proxy rather than directly to the server, in contrast to the normal proxy setup where a specific populations of clients go out through a proxy to contact all servers. Most of the time, reverse proxies are talked about for fronting HTTP servers. Sometimes they're security-neutral; e.g. sometimes, when people set up servers on which it's very expensive to build pages, they'll slap a squid in front of it simply to accellerate the server. There's not typically any security implication one way or another to such an implementation strategy. A reverse proxy, in the context of security discussions, can contribute to security by (a) limiting the exposure of the host, just like any other firewall; and (b) doing some sanity-checking of the actual HTTP content. (a) is often what people focus on, but I think it's the less interesting part of the picture. Yes, configuring a reverse-proxy in front of a webserver may keep other unrelated ports (rpc, printer services, network filesystems, etc) from being reachable; but that same effect can be achieved with border routers, external firewalls, software packet filtering used to harden the host, careful daemon configuration, etc. The big value add that a reverse proxy can add is meticulous validation of the queries sent to the server. Naturally, this is expensive to implement in proportion to the complexity of the site, the more diverse the range of possible requests that the site can service, the more complex the configuration required to describe all legitimate requests to the reverse proxy, and hence the greater temptation to short-cut the specification with over-general descriptions. The very best reverse proxy design would not only validate requests, it would also reconstruct them from scratch, thereby automatically blocking completely off-the-wall attacks like the recent Apache chunked encoding bruhaha. A nice, helpful feature in a reverse proxy would be the ability to have it auto-configure itself. Then all you need is a good coverage test for your website, and you can pull out a tight reverse proxy config for free. Now this is the pen-test group, so a meaty question is what do reverse proxies mean to pen testers. Typically, they can be thought of as firewalls (since they block access to other ports on the http servers), with more or less (how tight is the URL-pattern tuning) application-specific screening to block attacks. -Bennett
Attachment:
_bin
Description:
Current thread:
- Opinions on Security of Reverse Proxy Andrews, Ryan (Jun 26)
- Re: Opinions on Security of Reverse Proxy Deus, Attonbitus (Jun 28)
- Re: Opinions on Security of Reverse Proxy Bennett Todd (Jun 29)