Web applications vulnerabilities are increasingly being used by
attackers to compromise systems on the internet. This has created demand
for a mechanism to secure web application without rewriting the whole
application. In this article, we see how a security reverse proxy can be
used to provide reasonable security for web applications in an organization.
Firewalls, intrusion detection systems and regular patching of servers have secured the servers at the network layer. However, vulnerabilities in web applications are being used by attackers to obtain unauthorized access to critical data, become administrators of applications and even obtain access to the underlying operating system. The attacks are generally carried out by manipulating the requests to the web server.
Applications with vulnerabilities continue to exist on the internet due to the following factors:
- The security needs for applications were not considered during the design phase of application development.
- The developer community is not fully aware of the security best practices to avoid the application vulnerabilities.
- For existing applications, the task of identifying vulnerabilities and correcting them is a long process with large cost implications. This can also result in downtime for business critical applications.
One method of securing applications is by introducing a component which is capable of detecting and blocking attacks, between the client and the web server. A security reverse proxy is such a device. Using it, multiple web applications in an organization can be protected against application level attacks.
What is a Security Reverse Proxy
We have all come across an internet proxy used for accessing the Internet. Internally, the proxy accepts our request and then reinitiates a connection to the internet on our behalf. The proxy obtains the reply from the server and forwards it to the client that requested it. In other words, a regular proxy acts on behalf of a client.
A reverse proxy on the other hand acts on behalf of a server. The reverse proxy accepts the connection from the client and forwards it to the server. It also receives the response from the server and forwards it to the client. A security reverse proxy helps in protecting applications by inspecting the requests for malicious requests. On finding malicious content in the request, the reverse proxy will simply drop the request. The security reverse proxy checks for malicious content using a database which contains a set of allowed or disallowed content.
Detailed working of the Reverse Proxy
The working of a security reverse proxy can be understood by different activities that it carries out on receiving a request. All reverse proxies perform three basic operations:
- Request URL remapping: The client makes the request assuming that the reverse proxy is the web server. Before the reverse proxy can forward the request to the internal web server, the URL of the request needs to remapped to reflect the internal server's URL.
- Request Header Remapping: In addition to the URL, some of the http headers also need to be rewritten to reflect the internal web server. One such HTTP header is the "Host:" header which carries the hostname from which the URL is requested.
- Response Header Remapping: The response from the server also needs to be modified for the client to work correctly. This includes the "Location:" field which contains the location of the file on the server.The above three functions are carried out by all reverse proxies. The additional functions performed by a security reverse proxy are:
- Request Content Validation: The security reverse proxy inspects the request for malicious content. The check is actually performed by comparing the request against a database of filter signatures. These signatures are usually constructed using regular expressions. The decision to allow or disallow a request using filter signatures can be implemented either by using a black list or a white list approach.A black list filter contains the known malicious requests. Each request is checked against the entries in the list and blocked if a match is found. Variations of the same attacks need to be captured independently in the list. Thus by using black lists, only known attacks can be blocked. Its effectiveness lies in the comprehensiveness of the black list.
A white list filter contains the entire set of valid requests for a particular site. Thus, the white list stops attacks since it allows only known requests to reach the server. The process of creating a white list, however, is very tedious and needs the knowledge of the complete set of valid requests that can possibly be made to a server. Any changes to a protected web application would need a corresponding change to the white list. The process of maintaining a white list thus adds an administrative overhead.
- Response Content Validation: The response obtained from the server is also validated before the reverse proxy sends it back to the client. This is usually done using a black list approach. This can be used to block known responses which the client does not need to see. Error messages are one such type of information - the reverse proxy can replace the actual error with a generic error message which does not contain any sensitive information.
- Request and response logging: The request can also be logged by the reverse proxy for later analysis. The best approach is to configure logging of only the requests that were blocked. In the initial phases of the implementation, the logs should be closely reviewed. This is required to ensure that valid requests are not getting blocked by the reverse proxy.
Advantages of the reverse proxy
A security reverse proxy offers the following direct benefits:
- Using a combination of white and black lists, web severs can be effectively protected against application attacks to a large extent.
- The information flowing back to the client can be reviewed and sensitive information can be stopped from reaching the client.
- The reverse proxy becomes a single point of entry for the different web applications in the organization. The web servers stay hidden and thus protected from the Internet.
- Security monitoring such as log review can performed form a single point. This can improve the chances of detection of attacks to the servers.
- The reverse proxy can act as a single SSL server. This can be a big advantage if an organization runs multiple SSL enabled sites. A single SSL server can offer administrative and cost benefits to the organization.
- The reverse proxy can also act as caching server for the static content hosted by the organization, thereby improving overall performance of all the web servers.
- The system performance and system resource requirements can be better managed and utilized.
- Creation and maintenance of the signature database (white lists and black lists) are complex and time consuming processes. Wrong signatures can block valid requests and create hardships for users of the system.
- Any changes or additions in the application will also have to be reflected in the reverse proxy configuration.
- The blacklist may not be able block all possible attacks, especially variations.
- The reverse proxy may not be able to protect logic issues in the application, such as vulnerabilities in session maintenance.
- The reverse proxy becomes a 'single point of failure', hence redundancy needs to be considered for the reverse proxy. This will add further complexities to the architecture.
- Poor configuration and vulnerabilities of the reverse proxy itself can add another point of vulnerability for the attackers.
Application level vulnerabilities are increasingly being used by attackers to compromise data and servers in the internet. A reverse proxy can be used to secure multiple web servers in an organization from web application vulnerabilities. The reverse proxy also provides additional benefits including hiding of the web servers and improved performance. It also provides a single point for web application logging and analysis. However, maintaining a security proxy will increase the administrative overhead. The increased overheads of a security reverse proxy should be an acceptable price for the assurance obtained against web application vulnerabilities.