Data Centers

Implement a reverse proxy to secure corporate data

This tip describes how reverse proxies work to secure your Web server and provides guidance on implementation.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

According to one security axiom, "You cannot deny that which you must allow." And one of the best examples of this statement is corporate Web servers. As you probably know, Web servers are the most probed and attacked corporate machines on the Internet.

The reason your Web server exists is to enable untrusted, unknown hosts to connect to the machine and retrieve information or conduct business with your company. While you can't deny this untrusted connection, you can secure it.

Just because you must maintain a presence on the Internet doesn't mean that you can ignore network security and allow anyone to directly connect to this high-profile target. It's vital that you take steps to secure these public-facing Web servers, and reverse proxies are your best line of defense.

Let's look at how reverse proxies work. An unknown client opens a browser and enters the URL of your Web site. DNS or Network Address Translation (NAT) at your firewall or router redirects the Web content request to the reverse proxy.

The reverse proxy then checks its cache for the request and sends the content to the unknown client. Or the reverse proxy sends a request to the Web server for content and sends the request back to the unknown client.

Using this model, reverse proxies can provide a boost in performance; the Web server doesn't need to handle any transactions that already reside in the reverse proxy cache. And at the same time, this process better secures your Web servers.

Web server vulnerabilities surface on a fairly regular basis. Most corporate Web sites implement a database back-end that stores the Web content or financial information for Web clients.

You can create another security layer for your data by leaving "trusted" content servers on your internal network and placing the reverse proxy in your demilitarized zone (DMZ). This isolates public servers from private "trusted" servers. This additional security layer forces an attacker to attack the proxy because the firewall allows only the proxy to communicate with the Web content servers.

Most high-end reverse proxies run a proprietary operating system and are immune to Web server attacks, regardless of the type of Web server they protect. An attacker would have to discover the type of reverse proxy you're running and then successfully compromise that machine. And in the event of a successful hack, the black hat will only have access to information involved in a single transaction, rather than to the internal trusted database.

Final thoughts

If you must maintain a public Web server that serves content from protected internal servers, you must protect that information—or risk exposing that data and losing your clients. Reverse proxies are simple to implement and provide strong security against Web server attacks.

There are several excellent reverse proxy vendors. At the top of my reverse proxy list are Network Appliance's NetCache, Cisco's Content Engine, Blue Coat's ProxySG, and the freely available Squid that runs on UNIX.

Editor's Picks