Re: [WEB SECURITY] Web app on IIS6: Through reverse proxy or publish directly

["Gleb Paharenko" <gpaharenko@xxxxxxxxx>]

Hi.

In my opinion for some cases there is no need for reverse proxy, but
usually I'd prefer
to have it is in solution even then because you can easily implement
WAF, more levels of authentication and logging, protects from direct
attacks through the firewall holes. Proxy can be more resistant to
syn-floods. You should have in mind that reverse proxy potentially
adds http splitting and smuggling vulnerabilities to your system.
Perhaps http pipelining from reverse proxy to web-application server
must be disabled despite a performance degradation.

2008/1/24, Arbon Askar <filenotfound@xxxxxxxx>:
>
> I have been searching for guidance on publishing a web application running
> on IIS6 in the DMZ to the internet. If adequate care is taken to harden the
> host OS, IIS and the web application, is there a significant security
> advantage in using a reverse proxy to publish the app on to the internet?
>
>  Regards,
>
>  AA
>
> ________________________________
> Need to know the score, the latest news, or you need your Hotmail(R)-get your
> "fix". Check it out.


-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]