RE: Reverse Proxy and Link Encoding

["Bill Burge" <bill () burge com>]

Hmmm...  I see what the first poster was saying and it seems interesting.

A content filtering forward proxy that "knew" enough about your organization and the people inside it to block any 
requests going out that disclosed sensitive information.

Interesting, but I can imagine the frustration - you probably couldn't make a web purchase without it blocking the 
credit card transaction.  Also, the database of "information to block" might make v-e-r-y interesting reading if 
comprimised!

On the subject of filtering forward proxies, they are full of gotcha's and false positives.  I've built them and run 
them (not to that extreme).  A friend of mine works for 3M (pharmaceutical division) and due ot their outbound proxy, 
can't browse sites with the "bad" words in them - including the word "drugs".

bburge

*********** REPLY SEPARATOR  ***********

On 6/9/2003 at 10:49 AM Amit Klein wrote:

> Hi Amit
>
>     > There's a slight difference in the implementation though. We do
>    not change
>     > the HTML pages so that links are pointing at AppShield. Rather,
>    we let
>     > AppShield (instead of the original web server) have the IP that
>    is exposed
>     > to the Internet, and then have AppShield forward the request to
>    the web
>     > server (which is not accessible from the Internet). Thus, the
>    HTML pages are
>     > not modified. In AppShield, we compare an incoming request to the
>    links that
>     > we extracted from the HTML pages, and if a match is found, we
>    forward the
>     > request.
>
>    I think we both mean different applications. You seem to be talking
>    about
>    a reverse proxy that is typically put into a DMZ and lets people
>    from the
>    Internet (or other external networks) access web servers in a company's
>    internal network by mapping their web space into the proxy's web space.
>
>    I, on the other hand, was talking about a proxy that would be used
>    to let
>    people from an internal network access the Internet without having any
>    client-provided information leaving to the Internet (and thereby
>    ensuring
>    that no hostile data like URL-based exploits threaten third parties'
>    public web servers).
>
> You're right - AppShield is a reverse proxy, and I assumed this was the
> subject of the thread (whose title is "Reverse Proxy and Link
> Encoding"). I think you're talking about forward proxy. In the past,
> Sanctum considered the idea you suggested (that is, to offer a flavour
> of AppShield as a forward proxy server, protecting external sites from
> hacking from the internal zone), but this is not currently offered in
> AppShield. I suppose if there's a considerable traction to this feature,
> that we will reconsider.
>
> Thanks,
> -Amit