Reverse Proxy Three Myths Busted



Similar documents
Logging and Alerting for the Cloud

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Understanding Enterprise Cloud Governance

Identity and Access Management for the Cloud

How to Deploy Models using Statistica SVB Nodes

Top 10 Most Popular Reports in Enterprise Reporter

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Dell One Identity Cloud Access Manager Installation Guide

Dell One Identity Cloud Access Manager How to Configure for High Availability

Managing the Risk of Privileged Accounts and Privileged Passwords in Civilian Agencies

10 easy steps to secure your retail network

Best Practices for Secure Mobile Access

Types of cyber-attacks. And how to prevent them

SharePlex for SQL Server

Dell One Identity Manager Scalability and Performance

DevOps for the Cloud. Achieving agility throughout the application lifecycle. The business imperative of agility

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

Hybrid Cloud Computing

How To Use Shareplex

Understanding and Configuring Password Manager for Maximum Benefits

Organized, Hybridized Network Monitoring

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Achieve Deeper Network Security

Solving the Security Puzzle

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Spotlight Management Pack for SCOM

formerly Help Desk Authority Quest Free Network Tools User Manual

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

Dell InTrust Preparing for Auditing Cisco PIX Firewall

Simplify Your Migrations and Upgrades. Part 1: Avoiding risk, downtime and long hours

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Navigating the NIST Cybersecurity Framework

Security Analytics Engine 1.0. Help Desk User Guide

Desktop Authority vs. Group Policy Preferences

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

Object Level Authentication

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Proactive Performance Management for Enterprise Databases

Dell Statistica Document Management System (SDMS) Installation Instructions

Eight Ways Better Software Deployment and Management Can Save You Money

How to Quickly Create Custom Applications in SharePoint 2010 or 2013 without Custom Code

Quest vworkspace Virtual Desktop Extensions for Linux

Dell Statistica Statistica Enterprise Installation Instructions

formerly Help Desk Authority Upgrade Guide

Defender 5.7. Remote Access User Guide

Governed Migration using Dell One Identity Manager

Identifying Problematic SQL in Sybase ASE. Abstract. Introduction

Quest Collaboration Services How it Works Guide

Active Directory Auditing: What It Is, and What It Isn t

Achieve Deeper Network Security and Application Control

Managing the Risk of Privileged Accounts and Privileged Passwords in Defense Organizations

Dell InTrust Preparing for Auditing CheckPoint Firewall

Security Features in Password Manager

4.0. Offline Folder Wizard. User Guide

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Quest Collaboration Services 3.5. How it Works Guide

formerly Help Desk Authority HDAccess Administrator Guide

Moving Single Sign-on (SSO) Beyond Convenience

Dell vworkspace Supports Higher Education s Desktop Virtualization Needs

Spotlight Management Pack for SCOM

Dell InTrust Preparing for Auditing Microsoft SQL Server

Ensuring High Availability for Critical Systems and Applications

Dell Client Profile Updating Utility 5.5.6

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Introduction to Version Control in

Defender Delegated Administration. User Guide

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Enterprise Reporter Report Library

Web Portal Installation Guide 5.0

The Top 10 Things DBAs Should Know About Toad for IBM DB2

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Dell InTrust 11.0 Best Practices Report Pack

Getting Agile with Database Development

Adopting a service-centric approach to backup & recovery

Dell Migration Manager for Enterprise Social What Can and Cannot Be Migrated

11 ways to migrate Lotus Notes applications to SharePoint and Office 365

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

Quest vworkspace. System Requirements. Version 7.2 MR1

How To Protect Your Active Directory (Ad) From A Security Breach

Foglight for Oracle. Managing Oracle Database Systems Getting Started Guide

DATA GOVERNANCE EDITION

Dell One Identity Manager 7.0. Help Desk Module Administration Guide

Foglight. Foglight for Virtualization, Free Edition Installation and Configuration Guide

Quick Connect Express for Active Directory

Best Practices for an Active Directory Migration

Dell One Identity Quick Connect for Cloud Services 3.6.0

Spotlight on Messaging. Evaluator s Guide

New Features and Enhancements

2.0. Quick Start Guide

Dell One Identity Quick Connect for Cloud Services 3.6.1

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Go beyond basic up/down monitoring

Move Data from Oracle to Hadoop and Gain New Business Insights

Dell Spotlight on Active Directory Deployment Guide

Seven Steps to Designating Owners of Unstructured Data

Transcription:

Reverse Proxy Three Myths Busted Discover the real facts about how reverse proxy enables enhanced security and IT efficiency. Written by Joe Campbell, Principal Solutions Architect, Dell Software Abstract Most enterprises today use forward proxy (or simply proxy ) technology all the time. In particular, they use web proxies internal users don t actually connect directly to the internet, but to a proxy server. This proxy server captures the data from requested websites and forwards it to users behind the firewall, usually without the user even knowing the proxy exists. Web proxies can enhance security (for example, by blocking access to certain websites), enable tracking of user web activity, and improve performance by caching website content for reuse. Although forward proxies are commonplace, some organizations have been reluctant to take advantage of a similar technology, the reverse proxy. Like forward proxies, reverse proxies can improve security and performance and they offer a host of additional benefits as well, including encryption, load balancing and even single sign-on (SSO). This white paper explains the reverse proxy server and debunks three key myths that may be keeping your organization from reaping the benefits of this valuable technology.

Forward proxies, especially web proxies, are commonplace in organizations today, for good reason. With a web proxy, internal users don t actually connect directly to the internet but to a proxy server that captures the content from a website and forwards it to the user behind the firewall, as illustrated in Figure 1. Usually, the user does not even know the proxy exists it is transparent to the user. Reverse proxies can improve security and performance and they offer a host of additional benefits as well, including encryption, load balancing and even single sign-on (SSO). Proxies like this can provide a number of benefits to organizations: Security A proxy can restrict access to sites known for objectionable or dangerous material like phishing attacks, malware and Trojan horses. Auditing A proxy server can track access requests and provide forensic details and logging to security experts looking for details during a security audit. Performance Some proxies support website caching the proxy captures the web page content and saves it locally. When a user requests a cached page, it can be rendered almost immediately since it does not need to be downloaded again from the internet. The reverse proxy server A reverse proxy is essentially the same technology but in reverse: while a forward proxy proxies on behalf of users or other clients accessing almost any internet site, a reverse proxy proxies on behalf of a particular set of servers stationed behind an internet site, as shown in Figure 2. Reverse proxies can (and often do) obfuscate or hide the origin of the website the user is trying to access. For example, the user in Figure 3 is requesting sitea.reverserproxy.com but, without knowing it, is actually receiving data from hidden.sitea.com. User Web proxy Internet Figure 1. A web proxy in action Site A User Internet Reverse proxy Site B Figure 2. A reverse proxy 2

User request sitea.reverseproxy.com Proxied request hidden.sitea.com User Reverse proxy Web server Figure 3. Reverse proxy in action Setting up a reverse proxy offers significant benefits: Access control A reverse proxy can capture requests to a targeted website and reject or deny each request based on a security policy. Encryption A reverse proxy can encrypt or apply SSL to a site that is otherwise unsecure or not encrypted. Caching A reverse proxy can often cache certain items like pictures or HTML code for targeted websites, which will speed the user s browsing experience. Extranet access A reverse proxy can securely render an internal webpage to users outside the firewall. In this model, the actual server itself remains untouched by external user, whose access is limited to what the reverse proxy is allowed to show. User session management and SSO Some reverse proxies are capable of injecting code or automatically replying to downstream server requests for authentication to a requested website. In this model, SSO can be achieved with a site that would otherwise never support that capability. Debunking three important myths about reverse proxies with Dell One Identity Cloud Access Manager Unfortunately, many organizations are missing out on the benefits of reverse proxies because of three common myths: VPN technology is the best way to ensure network security. A proxy will create an application bottleneck. Firewalls are secure; reverse proxies are not. Let s debunk these myths and explore how the right reverse proxy solution such as Dell One Identity Cloud Access Manager, part of the Dell One Identity products from Dell Software can be a valuable component of your network infrastructure. Myth #1: VPN technology is the best way to ensure network security. Firewalls are an essential part of any network security strategy, and they often include Virtual Private Network (VPN) technology for secure access to internal resources. VPN is an extremely useful technology for organizations because it enables a computer to securely send and receive data across the internet as if it were directly connected to the private corporate network. However, VPN has important limitations. First, VPN software must be installed on the client computer, which limits user access to the technology. For instance, suppose you are at a public place, like your local library, and you receive an urgent message on your phone that requires you to immediately access an internal site and update some data in your HR system. But, of course, the librarian isn t going to offer you a local admin account on their computer network so you can t install your VPN software and get the secure access you need. In situations like this, VPN technology is useless. Moreover, VPN technology is best suited for your internal trusted employees only. Organizations that use VPN to provide partners with secure access to internal applications make themselves more vulnerable to attack. When a user connects via your VPN gateway, they are essentially on your network they can A reverse proxy server can deliver secure intranet access without the limitations of VPN. 3

The Cloud Access Manager reverse proxy engine runs as a self-hosted web service and was written for speed a single proxy server is typically enough to handle the application load for a medium-sized enterprise. search for vulnerabilities using methods like port scanning or simple ping scripts. Therefore, the idea that VPN is the solution for all your secure access needs is a myth. Fact: You can use a reverse proxy to grant secure intranet access. A reverse proxy server, on the other hand, can deliver secure intranet access without the limitations of VPN. First, a reverse proxy, such as Cloud Access Manager, offers a zero-footprint requirement on the user s machine. This means that there is no software to install, and no requirement for browser plug-ins or certificate management. Users at the library, on the corporate network, or on mobile devices can all equally access secure intranet resources. A reverse proxy also enables you to provide secure access to partners and other external users. Cloud Access Manager can act as a gateway to your internal sites. Before users can access anything within a network secured by Cloud Access Manager, they must first authenticate, and then their attributes and group membership will be used to govern exactly what they can access. Moreover, since users accessing a reverse proxy are not actually on your secured network, it is impossible for them to search the network for vulnerabilities. In addition, Cloud Access Manager provides a simple to follow, wizarddriven interface that even the newest web administrators can use. There are no complicated terminologies or instructions to learn, so you can securely provide your users and partners with secure access to an internal site in just a few minutes. Myth #2: A proxy will create an application bottleneck. Organizations worry about having their applications flowing through a single server, especially if they have experienced bottlenecks in the past. And often a reverse proxy is tasked with doing more than a forward proxy it needs to rewrite links, filter traffic according to security policies and, in the case of Cloud Access Manager, provide SSO by injecting credentials and respond to security challenges of downstream servers. So concerns about bottlenecks are legitimate. However, times have changed, and so has our technology. Fact: Today s technology makes reverse proxies reliable with no performance bottlenecks. The Cloud Access Manager reverse proxy has been written from the ground up with performance in mind, and has evolved over 15 years of development and customer experience. Over that time, new features have been added, including proxy tuning, customized scripting and built-in load-balancing. If you had asked a game developer in the early 90s to write a 3D game engine that simulated water accurately, they would have laughed. Sure, they could have written one, but you would have needed a powerful graphics workstation to run it. Today, a small game console is capable of nearly perfect fluid simulation. Power computing and virtualization has finally caught up to the technology. Taking advantage of that technology, the Cloud Access Manager reverse proxy engine runs as a self-hosted web service and was written for speed a single proxy server is typically enough to handle the application load for a medium-sized enterprise. Organizations who want to scale their installation need only to add another proxy; the server will auto-discover the rest of the Cloud Access Manager deployment and configure itself appropriately. In short, thanks to years of fine tuning and today s processing power and scalability, bottlenecks are simply not an issue for the Cloud Access Manager reverse proxy. It s worth pointing out that Dell has been running the Cloud Access Manager reverse proxy in its own environment for years, with only two production proxies (a good fail-over 4

strategy). The Cloud Access Manager reverse proxy delivers a real solution to the challenge, and does so with reliability and performance. Myth #3: Firewalls are secure; reverse proxies are not. The final myth can be summed up as follows: Firewalls are secure and reverse proxies aren t firewalls. Therefore, reverse proxies are not secure. The truth is, a reverse proxy solution is often more secure than a firewall VPN strategy. But the more important truth is that organizations do not have to choose between a firewall and a reverse proxy they can have both. Fact: You can choose both a firewall and a reverse proxy. Using a reverse proxy does not mean no longer using firewalls. In fact, you shouldn t even consider installing a reverse proxy on a machine that does not have a firewall, or at least behind one on your network. Think of traffic on your network as the stations on your radio. In the United States, FM radio channels are split into frequencies ranging from 87.8 MHz to 108.0 Mhz, and the jump between frequencies is 0.2 Mhz. So, a U.S. FM radio receiver can receive about 101 different radio channels. In today s network technology, a similar method is used to separate traffic on the wire. There are 65,535 possible channels, called ports, to move information around on a network. Websites typically transmit on port 80, while secure sites like your bank are on port 443. The problem is there really isn t any requirement that certain types of data travel on certain ports. You could easily design your website to travel on port 12345 as easily as you could get it to transmit on port 80. This huge number of ports is exactly what a firewall is designed to secure. For instance, let s say you have installed a secret banking web service on port 1080 and you want to make sure that only the banking website can call that web service. You could easily configure a firewall with a policy to do just that, as illustrated in Figure 4. Beyond that, the firewall should simply block all unassigned and unsecured ports by default. This is the job of a firewall, and this is the job of a firewall when it s applied to a reverse proxy solution. A reverse proxy solution isn t a firewall, nor does it pretend to be. As noted earlier, Figure 3 shows a reverse proxy securing the sites behind an organization s firewall. Since the proxy Using a reverse proxy to secure access to internal sites can be more secure than using a firewall alone. Unauthorized website Secure banking web service Banking website Figure 4. A firewall allowing a specific banking website to access a secure banking web service and, but blocking access to the service from all other websites 5

supports traffic only on port 443 (the secure SSL gateway), port scanning is simply impossible. More than that, a user trying to access hidden.site.com cannot do so; it is simply impossible. The truth is, using a reverse proxy to secure access to internal sites can be more secure than using a firewall alone. There is no real comparison to be made between a firewall and a reverse proxy server. They are two different solutions providing two essential and different features. About Dell One Identity Cloud Access Manager Dell Software recently released the next generation of its solution for access management, including access management for remote users. The new Dell One Identity Cloud Access Manager solution represents a huge leap in usability and features for securing and managing access. More than a simple single sign-on product, Cloud Access Manager is a full-fledged web access management solution. Cloud Access Manager uses reverse proxy technology to provide authenticated and authorized users connecting from the internet or a partner organization s network with secure intranet access to applications that are hosted safely behind your organization s firewall. Cloud Access Manager delivers the following benefits: User-specific application portal Cloud Access Manager provides each user with a web application portal customized to their security profile. Users can launch applications from this portal and add applications to the portal from a secure application catalog. Just-in-time (JIT) provisioning Before a user can use a web property like Google Apps, Salesforce.com or Office 365, they must be provisioned to the platform. Many products offer a big bang or dirsync provisioning strategy in which all members of a particular security group are provisioned en masse. This strategy often results in cost overruns, since more people are provisioned than are actively using the service. With a JIT strategy, users who match the correct security profile are provisioned only when they specifically ask for access or add the application to their portal collection. Single sign-on Cloud Access Manager s approach to SSO is unique in the industry. Rather than focusing only on the modern challenges of federation used in with technologies like SAML and WS-Federation, Cloud Access Manager offers a balanced solution. It supports modern federation, but also adds support for legacy authentication methods like forms-based, basic and Windows authentication. Secure intranet access from the internet without VPN Cloud Access Manager s reverse proxy engine not only provides SSO to legacy applications, but will serve users from outside the firewall secure access to internal applications. This is achieved without any additional plug-ins, server agents, or requirement to install VPN software on the client machine. Tuning and scripting capabilities With less mature reverse proxy technologies, internal websites with unique HTML or scripting features are often not re-written correctly in the proxy, forcing organizations to either leave applications out of the proxy or wait for the product team to implement a new translation. Cloud Access Manager s unique tuning and scripting capabilities enable you to respond to an application s unique HTML requirements without changing the core product. That means you can maintain the mappings yourself. Conclusion Reverse proxies have come of age and the myths keeping them out of widespread use are simply that myths. As we ve illustrated here in busting these myths, reverse proxies are a valuable part of any secure web access strategy, supplementing the security of your firewalls and overcoming the limitations of VPN technologies. Cloud Access Manager s reverse proxy unlocks the potential of integrating securely with your partners, keeping users happy with high performance, and enabling SSO solutions previously thought impossible. About the author Joe Campbell is Principal Solutions Architect at Dell Software. He is an accomplished software developer with an extremely diverse background. His professional career spans innovations for some of the world s biggest companies, and he s pioneered new, award-winning technologies in wireless, RFID, visualization, communications and telephony. Joe s unmatched experience in leading security and software architecture makes him a highlyrespected visionary and leader in the technology industry. 6

For More Information 2014 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Software Dell Software helps customers unlock greater potential through the power of technology delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com Refer to our Web site for regional and international office information. 7 WhitePaper-ReverseProxy-US-VG-24426

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information