Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Basics: Re: A Good Reverse Proxy Product

Re: A Good Reverse Proxy Product

From: Adriel Desautels <adriel_at_netragard.com>
Date: Mon, 05 May 2008 16:47:21 -0400

Aron,
        Its funny how sometimes the most simple solutions evade us isn't it?
I'd have to agree with what you said re: the VPN.

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn

Aaron Howell wrote:
> Dan Lynch wrote:
>> AFAIK, a simple HTTP reverse proxy offers very little protection against
>> attack. This is not my area of expertise, so please correct me if I'm
>> wrong.
>
> You're not wrong, but you're not quite right, either... (IMHO, of course...)
>
>> I've had recent need to address just this question, and from what I can
>> determine, a simple reverse proxy protects your web server (the OWA
>> server in your case) only against IP stack attacks. It does not protect
>> against attacks targeting HTTP or the web application itself.
>
> This is basically true, but it's not quite that cut-and-dried.
>
>> One needs to add a certain amount of application-layer logic to the
>> proxy in order to restrict what HTTP methods are allowed, lengths and
>> content of specific fields, session state-based attacks, SQL injection,
>> etc..
>
> If you add mod_security to an Apache reverse proxy, you get most (all?
> I'd have to do more checking than I have time for right now..) of this
> functionality.
>
> This is important for OWA especially as it wants to be a domain
>> member server, leaving you with a domain member exposed to direct
>> internet connections, and the losing battle of trying to control
>> Microsoft domain traffic through a firewall.
>
> This is a really good point that nobody else has brought up. The rest
> of your post is also very informative, I just wanted to correct the
> point about Apache...
>
> If I can drift slightly off-topic: If it were my job to attempt to
> secure this OWA server, I would push hard for VPN access for the people
> needing to access it remotely, instead of trying to hide it behind a
> proxy/webapp Firewall/etc. You then remove it's visibility to the
> Internet entirely (from the web-application standpoint, anyway...), and
> don't have to worry (as much) about it.
>
Received on May 05 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]