|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Reverse Proxy and Link Encoding
From: Bill Burge (bill
burge.com)
Date: Mon Jun 09 2003 - 18:26:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hmmm... I see what the first poster was saying and it seems interesting.
A content filtering forward proxy that "knew" enough about your organization and the people inside it to block any requests going out that disclosed sensitive information.
Interesting, but I can imagine the frustration - you probably couldn't make a web purchase without it blocking the credit card transaction. Also, the database of "information to block" might make v-e-r-y interesting reading if comprimised!
On the subject of filtering forward proxies, they are full of gotcha's and false positives. I've built them and run them (not to that extreme). A friend of mine works for 3M (pharmaceutical division) and due ot their outbound proxy, can't browse sites with the "bad" words in them - including the word "drugs".
bburge
*********** REPLY SEPARATOR ***********
On 6/9/2003 at 10:49 AM Amit Klein wrote:
>Hi Amit
>
> > There's a slight difference in the implementation though. We do
> not change
> > the HTML pages so that links are pointing at AppShield. Rather,
> we let
> > AppShield (instead of the original web server) have the IP that
> is exposed
> > to the Internet, and then have AppShield forward the request to
> the web
> > server (which is not accessible from the Internet). Thus, the
> HTML pages are
> > not modified. In AppShield, we compare an incoming request to the
> links that
> > we extracted from the HTML pages, and if a match is found, we
> forward the
> > request.
>
> I think we both mean different applications. You seem to be talking
> about
> a reverse proxy that is typically put into a DMZ and lets people
> from the
> Internet (or other external networks) access web servers in a company's
> internal network by mapping their web space into the proxy's web space.
>
> I, on the other hand, was talking about a proxy that would be used
> to let
> people from an internal network access the Internet without having any
> client-provided information leaving to the Internet (and thereby
> ensuring
> that no hostile data like URL-based exploits threaten third parties'
> public web servers).
>
>You're right - AppShield is a reverse proxy, and I assumed this was the
>subject of the thread (whose title is "Reverse Proxy and Link
>Encoding"). I think you're talking about forward proxy. In the past,
>Sanctum considered the idea you suggested (that is, to offer a flavour
>of AppShield as a forward proxy server, protecting external sites from
>hacking from the internal zone), but this is not currently offered in
>AppShield. I suppose if there's a considerable traction to this feature,
>that we will reconsider.
>
>Thanks,
>-Amit
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]