Re: Opinions on Security of Reverse Proxy

From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: 06/26/02 

Date: Wed, 26 Jun 2002 07:34:18 -0700
To: "Andrews, Ryan" <RAndrew@alleghenyenergy.com>, "pen-test@Securityfocus. Com (E-mail)" <pen-test@securityfocus.com>
From: "Deus, Attonbitus" <Thor@HammerofGod.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 08:50 AM 6/25/2002, Andrews, Ryan wrote:
>Here's a question for those conducting pen tests against reverse proxies:
>what are your opinions of reverse proxies?

Hey Ryan-

Reverse Proxy (or server publishing) can be a double-edged sword... The
obvious benefit is that you can have one box on the hostile network that is
hardened to spec, but that can publish to several internal boxes on the
service ports you want. From the network standpoint, it can cut way down
on administration.

However, if someone finds a hole in your application, they can gain access
to the internal network. As long as you know the risks and plan for them,
publishing can be an important security measure.

hth

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPRnQ6ohsmyD15h5gEQL5gQCggfrJ6h21W9ROWxRhcLBKs3ZkwOMAn2Kt
cu5+b0ngGPfJbPIcPzvfeL8R
=e4J+
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/