Re: A Good Reverse Proxy Product

Aron,
Its funny how sometimes the most simple solutions evade us isn't it? I'd have to agree with what you said re: the VPN.

Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn


Aaron Howell wrote:
Dan Lynch wrote:
AFAIK, a simple HTTP reverse proxy offers very little protection against
attack. This is not my area of expertise, so please correct me if I'm
wrong.

You're not wrong, but you're not quite right, either... (IMHO, of course...)

I've had recent need to address just this question, and from what I can
determine, a simple reverse proxy protects your web server (the OWA
server in your case) only against IP stack attacks. It does not protect
against attacks targeting HTTP or the web application itself.

This is basically true, but it's not quite that cut-and-dried.

One needs to add a certain amount of application-layer logic to the
proxy in order to restrict what HTTP methods are allowed, lengths and
content of specific fields, session state-based attacks, SQL injection,
etc..

If you add mod_security to an Apache reverse proxy, you get most (all?
I'd have to do more checking than I have time for right now..) of this
functionality.

This is important for OWA especially as it wants to be a domain
member server, leaving you with a domain member exposed to direct
internet connections, and the losing battle of trying to control
Microsoft domain traffic through a firewall.

This is a really good point that nobody else has brought up. The rest
of your post is also very informative, I just wanted to correct the
point about Apache...

If I can drift slightly off-topic: If it were my job to attempt to
secure this OWA server, I would push hard for VPN access for the people
needing to access it remotely, instead of trying to hide it behind a
proxy/webapp Firewall/etc. You then remove it's visibility to the
Internet entirely (from the web-application standpoint, anyway...), and
don't have to worry (as much) about it.

Relevant Pages

  • Re: VPN clients cant access OWA
    ... Yes, when connected through VPN, I can ping the OWA server's private IP ... using NAT with the Exchange server? ... tool/analyzer and initiate http connection to your OWA server. ...
    (comp.dcom.sys.cisco)
  • Re: No access to site that is hosted by your ISP
    ... > server first for this remote person. ... let them vpn to access their email/use OWA ... >> We use pop mail and have a number of addresses allocated to our domain. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Ye Olde OWA Topic (Was RE: Website inside or outside domain)
    ... I submit that you give up more functionality you desire for OWA than ... security you gain by requiring access via the VPN. ... Of use your firewall to authenticate. ... > How do I allow access to the back-end Exchange Server? ...
    (Focus-Microsoft)
  • Re: Questions about ISA 2000 and OWA
    ... If you are making a vpn connection to get in to the network OWA may ... maybe server internalip/exchange. ... >I have no experience using ISA and I have OWA working intra office only. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
Quantcast