11

How effective are reverse proxies as a web application security device? Which types of threats do they mitigate against and which don't they?

For example are they more effective in preventing exploits against the proxied application web servers rather than against the applications themselves?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Sim
  • 1,227
  • 1
  • 13
  • 21

4 Answers4

11

Reverse proxies can be used as:

  • caching server and as a load balancer - that would help in mitigating DDoS attacks at some level;
  • proxy to hide the real server software from scans and fingerprints;
  • proxy where WAF or IDS/IPS are setup, thus preventing attacker from further intrusion steps;
5

In addition to the areas already mentioned, reverse proxies can be useful in defending against web server level issues.

This isn't such a common issue as it was say 10 years ago, but if there is a bug like a buffer overflow in the web server you're using placing it behind a reverse proxy can help. Especially useful if you have security concerns about the main web server, but can't upgrade it immediately.

Of course, the tradeoff is that you're increasing your attack surface by introducing the reverse proxy (more software involved in the solution, more potential points of attack).

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 3
    And of course you have to have a reverse proxy that isn't vulnerable to the same threat, so they may have to be different applications,platforms or you have to ensure the safety of the proxy (this is the attack surface increase noted in p3). – adric May 17 '12 at 14:36
5

@Ams answer is correct, in addition:

  • Some of the better reverse proxies also implement firewall functionality, with protocol awareness builtin.
  • Also many WAFs work as reverse proxies.
  • Smarter/custom reverse proxies can also do routing/translation, so the interface the attacker sees is not the true interface.
AviD
  • 72,138
  • 22
  • 136
  • 218
3

As web application security measure aren't very effective... close to zero effectiveness...

As somebody else pointed before, uses of reverse proxies aren't related to an application level security.

If your application has SQL injection vulnerabilities or any other, a reverse proxy is not going to help at all.

Lix
  • 25
  • 2
  • 2
    Ah yes, the proxy by itself is about as useful protection as NAT is, but as pointed out above many of the "reverse proxy" platforms have other useful, effective security functions. – adric May 17 '12 at 14:34