Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

According to one security axiom, “You cannot
deny that which you must allow.” And one of the best examples of
this statement is corporate Web servers. As you probably know, Web
servers are the most probed and attacked corporate machines on the

The reason your Web server exists is to enable
untrusted, unknown hosts to connect to the machine and retrieve
information or conduct business with your company. While you can’t
deny this untrusted connection, you can secure it.

Just because you must maintain a presence on
the Internet doesn’t mean that you can ignore network security and
allow anyone to directly connect to this high-profile target. It’s
vital that you take steps to secure these public-facing Web
servers, and reverse proxies are your best line of defense.

Let’s look at how reverse proxies work. An
unknown client opens a browser and enters the URL of your Web site.
DNS or Network Address Translation (NAT) at your firewall or router
redirects the Web content request to the reverse proxy.

The reverse proxy then checks its cache for the
request and sends the content to the unknown client. Or the reverse
proxy sends a request to the Web server for content and sends the
request back to the unknown client.

Using this model, reverse proxies can provide a
boost in performance; the Web server doesn’t need to handle any
transactions that already reside in the reverse proxy cache. And at
the same time, this process better secures your Web servers.

Web server vulnerabilities surface on a fairly
regular basis. Most corporate Web sites implement a database
back-end that stores the Web content or financial information for
Web clients.

You can create another security layer for your
data by leaving “trusted” content servers on your internal network
and placing the reverse proxy in your demilitarized zone (DMZ).
This isolates public servers from private “trusted” servers. This
additional security layer forces an attacker to attack the proxy
because the firewall allows only the proxy to communicate with the
Web content servers.

Most high-end reverse proxies run a proprietary
operating system and are immune to Web server attacks, regardless
of the type of Web server they protect. An attacker would have to
discover the type of
reverse proxy you’re running and then successfully compromise that
machine. And in the event of a
successful hack, the black hat will only have access to information
involved in a single transaction, rather than to the internal
trusted database.

Final thoughts

If you must maintain a public Web server that
serves content from protected internal servers, you must protect
that information–or risk exposing that data and losing your
clients. Reverse proxies are simple to implement and provide strong
security against Web server attacks.

There are several excellent reverse proxy
vendors. At the top of my reverse proxy list are Network
Appliance’s NetCache, Cisco’s Content Engine, Blue Coat’s ProxySG,
and the freely available Squid that runs on UNIX.