4

Common wisdom is that internal applications that live inside of the trusted network, such as Exchange, should be reverse proxies whenever they are exposed to the Internet. Microsoft recommends using UAG/TMG for this as it has some built in security features. Mod_security has a similar role in apache reverse proxy scenarios. However, I see an awful lot of installations where a reverse proxy is used but this additional security layer is not used.

Why even bother with a reverse proxy in this scenario? If you're not using some L7 logic to mitigate attacks, what are the benefits of adding the proxy layer vs. just exposing the application directly?

MDMarra
  • 100,183
  • 32
  • 195
  • 326

2 Answers2

4

From the perspective of defense from attack, not filtering in/out data of course does not add anything of value. One could argue that proxying without forethought in fact lowers security in that:

  • greater complexity is introduced, often with a vengeance.
  • less transparency in that multiple log and alerting layers need correlation per transaction.
  • attack surface increases through additional subsystems.
  • greater diversification of systems increases the risk of human error.
  • every system carries bugs which introduce uncertainties, proxies are no exception.

not to mention the wastes in technological resources (machines, storage, backup/restore etc).

On the other hand, there may be wins which relate to security in other ways:

  • Load balancing and failover possibilities.
  • Greater flexibility in the separation of access layer from service layer (i.e. easier to do maintenance, restructure etc).
  • The future option to easily introduce filtering and whatnot without contention for system resources in the service layer.
  • Separating other functions than simple attack signature filtering, such as rewrite logic or certain logging, for instance making for greater ease of configuration and lesser risk during change.
  • Certain functions may be better documented or known on the proxy platform, giving greater over all stability and control or a lessening of unknowns through moving them away from the backend.

I'm sure there's more, this just from the top of my head.

ErikE
  • 4,676
  • 1
  • 19
  • 25
  • 1
    It's tough to put up a "sorry server" if you don't have something up front that can catch and redirect. Of course, your LB solution might be able to provide this natively. – mfinni Nov 19 '13 at 22:30
2

There was a time that the default install of Apache simply had fewer known security holes than a default install of IIS; that alone was a security improvement.

Thus, it may have simply become tribal lore because it was once a best practice.

mfinni
  • 35,711
  • 3
  • 50
  • 86