Discussion Lists wrote:
> Hi Tom,
> People should correct me if I am wrong, however a proxy server such as
> squid doesn't know the difference between a legitimate web request, and
> a malicious one. Both can, and in most cases are required to be
> compliant with various networking RFC's. A malformed GET request, for
> instance, done with just the right payload (no need to tweak it to work
> with squid), and aimed at a sufficiently vulnerable windows box/service
> is all it takes. Reverse-shell spawning payload would give the attacker
> unlimited to your machine at that point. Since all a proxy server does
> is forward web transactions, that service is nearly as vulnerable as if
> the box was sitting naked on the Internet. So without knowing more
> details, this comes down to a question of how well patched is your web
> service?
>
> Hope that helps,
> Mark
>
Hello,
I have not (yet) used squid as a reverse proxy, but we had a similar
discussion a couple of weeks ago in the office. A software vendor and
the person responsible for the new service insisted using a reverse
proxy for security reasons.
My point of view is similar with yours, any request with the "right"
payload will hit the webserver regardless if a reverse proxy is used or not.
The only way to improve the situation could be a reverse proxy with
filtering capabilities as provided by some firewall products.
When implementing a reverse proxy based on free software I can only
think of squid or apache with mod_proxy but IMHO both will not filter
the requests. Am I on the right track?
Regards,
Hendrik Voigtländer
Received on Sun Sep 05 2004 - 03:08:13 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT