[Snort-users] Request for Reverse Proxy Guidance

Will Metcalf william.metcalf at ...11827...
Wed Mar 31 09:49:02 EDT 2010


Have you looked @ http://www.modsecurity.org/?  Regardless of where
you position the box if you are passing creds this I think this
traffic should remain encrypted on the wire in which case snort will
be completely blind to it.  Some people may choose to encrypt the
front end to a ssl terminating proxy and then have their IDS inspect
the unencrypted traffic to the back-end server although imho this is a
poor practice.  Since you are deploying a reverse proxy anyway, I
suggest again that you have a look at mod_security as it comes with
some pretty great default rules, and allows you to have much more
granular controls over what is allowed in and out of your webapps.

Regards,

Will

On Wed, Mar 31, 2010 at 8:29 AM, Jason Wallace
<jason.r.wallace at ...11827...> wrote:
> Howdy all,
>
> I'm looking for some IDS best practice guidance when dealing with a
> reverse proxy. We have a new application being deployed that needs to
> be assessable from the Internet via a web interface but also needs to
> authenticate to AD. To date we do not pass the Windows auth ports from
> our DMZ to our internal network and I would like to keep it that way.
> To me that means we probably need to proxy the web traffic from our
> DMZ to the new system hosted on the inside.
>
> If I monitor in front of the proxy I'll see the original Internet src
> address, with a dest of the proxy, and the original http request. If I
> monitor behind the proxy I'll see the src as the proxy, the dest as
> the internal server, and the proxyed http request.
>
> If you could only monitor either in front or behind...which would you
> do? I'm new to reverse proxies so if I'm missing something obvious,
> please feel free to point this out!
>
> Thx,
> Wally
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list