Risks associated with Reverse-Proxy

We used to put the Web servers in the DMZ and the Application Servers in the LAN. Now we are discussing the risks...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

and benefits of an architecture with a Reverse-Proxy in the DMZ and the rest of the servers (Web & Application servers) in the LAN. What do you think about this change? What are the risks associated with an architecture based on a Reverse-Proxy?

The benefit of using Reverse-Proxy is that your actual servers have no direct connection to the Internet as they do if they are in the DMZ. Clients talk to the Proxy, which in turn can talk to the real server. In order for this to work, the proxy server needs a way to pass requests through the firewall to the real server. This is where there is some additional risk. What ports do you need to open on your firewall to make this work? Can those openings in the firewall be restricted to only proxy-to-server communications? If not, other applications could make use of the opening created to attack your LAN.

One way to minimize the risk would be to set up a seperate segment for your servers behind the firewall. Then the firewall rules that you need to implement for the reverse-proxy can be limited to that segment and not affect the rest of the LAN (assuming you are using a firewall that allows seperate rules for each segment). This gives you the benfit of reverse-proxy that you are seeking, without changing the firewall protection for the rest of the LAN.

Dig Deeper on Information security policies, procedures and guidelines

SearchCloudSecurity

More on this topic

proxy server

Security Think Tank: In-depth protection is a matter of basic hygiene

DMZ (networking)

How do I grant users outside the LAN access to OWA?

6 SaaS security best practices to protect applications

Review these 7 CASB vendors to best secure cloud access

CASB explained: Know its use cases before you buy

10 network security tips in response to the SolarWinds hack

Considerations for SASE management and troubleshooting

Cisco sweetens Acacia deal by $2 billion

What CIOs need to know about RPA in IT operations

Parler sues AWS, seeks restraining order

Digital healthcare top priority for CIOs in 2021

Will Windows 10 be the last Windows OS?

CES: Laptops sport designs friendly for remote workers

Evaluate if Windows 10 needs third-party antivirus

IBM acquisition spree targets hybrid cloud consulting market

How to choose between IaaS and SaaS cloud models

COVID-19 and remote work shift cloud predictions for 2021

Should I be worried about MFA-bypassing pass-the-cookie attacks?

Few workers see employers as ready for new normal

More subpostmasters’ prosecutions sent to appeal for wrongful conviction