WebApp Sec mailing list archives
RE: Reverse Proxy and Link Encoding
From: "Bill Burge" <bill () burge com>
Date: Mon, 09 Jun 2003 16:26:28 -0700
Hmmm... I see what the first poster was saying and it seems interesting. A content filtering forward proxy that "knew" enough about your organization and the people inside it to block any requests going out that disclosed sensitive information. Interesting, but I can imagine the frustration - you probably couldn't make a web purchase without it blocking the credit card transaction. Also, the database of "information to block" might make v-e-r-y interesting reading if comprimised! On the subject of filtering forward proxies, they are full of gotcha's and false positives. I've built them and run them (not to that extreme). A friend of mine works for 3M (pharmaceutical division) and due ot their outbound proxy, can't browse sites with the "bad" words in them - including the word "drugs". bburge *********** REPLY SEPARATOR *********** On 6/9/2003 at 10:49 AM Amit Klein wrote:
Hi Amit > There's a slight difference in the implementation though. We do not change > the HTML pages so that links are pointing at AppShield. Rather, we let > AppShield (instead of the original web server) have the IP that is exposed > to the Internet, and then have AppShield forward the request to the web > server (which is not accessible from the Internet). Thus, the HTML pages are > not modified. In AppShield, we compare an incoming request to the links that > we extracted from the HTML pages, and if a match is found, we forward the > request. I think we both mean different applications. You seem to be talking about a reverse proxy that is typically put into a DMZ and lets people from the Internet (or other external networks) access web servers in a company's internal network by mapping their web space into the proxy's web space. I, on the other hand, was talking about a proxy that would be used to let people from an internal network access the Internet without having any client-provided information leaving to the Internet (and thereby ensuring that no hostile data like URL-based exploits threaten third parties' public web servers). You're right - AppShield is a reverse proxy, and I assumed this was the subject of the thread (whose title is "Reverse Proxy and Link Encoding"). I think you're talking about forward proxy. In the past, Sanctum considered the idea you suggested (that is, to offer a flavour of AppShield as a forward proxy server, protecting external sites from hacking from the internal zone), but this is not currently offered in AppShield. I suppose if there's a considerable traction to this feature, that we will reconsider. Thanks, -Amit
Current thread:
- Reverse Proxy and Link Encoding Michael Naef (Jun 01)
- RE: Reverse Proxy and Link Encoding Lluis Mora (Jun 03)
- RE: Reverse Proxy and Link Encoding Michael Naef (Jun 05)
- Re: Reverse Proxy and Link Encoding security lists (Jun 05)
- <Possible follow-ups>
- RE: Reverse Proxy and Link Encoding Amit Klein (Jun 05)
- RE: Reverse Proxy and Link Encoding Amit Klein (Jun 09)
- RE: Reverse Proxy and Link Encoding Bill Burge (Jun 09)
- Re: Reverse Proxy and Link Encoding Death Star (Jun 13)
- RE: Reverse Proxy and Link Encoding Lluis Mora (Jun 03)