3

imagine I have an architecture as shown.enter image description here

In order to get to the internal web server, should I use a reverse proxy like as shown and redirect traffic to my web server? Is this a more secure way instead of just opening rules at Firewall A and B and let traffic through? And why is it more secure?

thanks

Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26

2 Answers2

3

Using a reverse proxy can thwart some exploits targeting the webserver.

  • Reverse proxies are usually simpler than webservers, so they are (in theory!) less likely to have vulnerabilities.
  • If the proxy is exploited, this does not yet give the attacker access to any data on the webserver or other systems behind the DMZ

Note that this only applies to low-level exploits targeting the webserver directly. Any application-level exploits won't be affected by this at all. The proxy might also directly forward some exploitative connections as they are, so they work even through the proxy.

Philipp
  • 48,867
  • 8
  • 127
  • 157
3

Your architecture looks fine. Use of Reverse Proxy also depends on below factors:

  1. No. of Web Servers, you are planning to host
  2. No. of Public IP Addresses you have
  3. Do you want a layer of abstraction between your LAN and Web?

In terms of additional security, I believe a vulnerable application running anywhere will remain vulnerable, unless you are using WAF (Layer 7 firewall) in between. Web Application Firewalls (WAF) can provide some breathing space till you patch the actual application. Reverse Proxy won't help much in this regard.

You can go through below links to find some more inputs. I found many questions are already asked about this.

  1. How effective are reverse proxies as a web application security measure?
  2. http://www.jscape.com/blog/bid/87841/Top-8-Benefits-of-a-Reverse-Proxy
  3. Safety of exposing an internal web application to the internet using a reverse proxy in the DMZ
Community
  • 1
Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26