Reverse Proxy

I have seen a number of DMZ implementations which have a reverse proxy in there, forwarding traffic to a more secure zone somewhere else.  It isn't obvious why this is a good idea.  In fact it's so subtle it probably shouldn't have ever happened.

And in fact the reverse proxy might just make things worse if it isn't done correctly.

I think the IT people I've spoke to just find it a convenient way to publish otherwise internal applications onto the Internet without much consideration for security.

Does the reverse proxy stop those systems getting hacked?  Probably not.  If you wanted security, you might want a web application firewall instead of a reverse proxy.  You could look at mod_security for apache, or if budget is no object there are some serious appliances available. 

Using a reverse proxy:

1. The servers that it forwards connections to need to be considered vulnerable and placed into a DMZ. 
2. You need to enable the security features.
3. You need to secure the reverse proxy. 
4. You could usefully use the proxy to add authentication to applications, terminate SSL and log requests.  The logs may still be valid if the server it is protecting gets hacked, which may be useful. 

It will protect your back-end web server from attacks at the TCP and IP stack layer.  But we don't see many of those these days.

So, in general:

• Don't do it. 
• If you do it, remember the web servers behind it still need to be in a segregated network.
• If you want security, deploy a web application firewall, not a straight forward reverse proxy.