Dan Lynch wrote:
> AFAIK, a simple HTTP reverse proxy offers very little protection against
> attack. This is not my area of expertise, so please correct me if I'm
> wrong.
You're not wrong, but you're not quite right, either... (IMHO, of course...)
> I've had recent need to address just this question, and from what I can
> determine, a simple reverse proxy protects your web server (the OWA
> server in your case) only against IP stack attacks. It does not protect
> against attacks targeting HTTP or the web application itself.
This is basically true, but it's not quite that cut-and-dried.
> One needs to add a certain amount of application-layer logic to the
> proxy in order to restrict what HTTP methods are allowed, lengths and
> content of specific fields, session state-based attacks, SQL injection,
> etc..
If you add mod_security to an Apache reverse proxy, you get most (all?
I'd have to do more checking than I have time for right now..) of this
functionality.
This is important for OWA especially as it wants to be a domain
> member server, leaving you with a domain member exposed to direct
> internet connections, and the losing battle of trying to control
> Microsoft domain traffic through a firewall.
This is a really good point that nobody else has brought up. The rest
of your post is also very informative, I just wanted to correct the
point about Apache...
If I can drift slightly off-topic: If it were my job to attempt to
secure this OWA server, I would push hard for VPN access for the people
needing to access it remotely, instead of trying to hide it behind a
proxy/webapp Firewall/etc. You then remove it's visibility to the
Internet entirely (from the web-application standpoint, anyway...), and
don't have to worry (as much) about it.
--
Aaron Howell
nGenuity Information Services
509-396-2075 x6000
http://www.ngenuity-is.com
Received on May 02 2008
Intro
