Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 28 of 53

toward full integration, given that they all play a critical role in maintaining web application "availability." First Three Layers of Protection If attacks are being detected targeting the DNS layer, upstream routers in the first line of defense and upstream DDoS defenses in the second line of defense can be made aware of the attacks seen at the DNS layer. Automated protections can be implemented by these upstream lines of defense to protect the DNS layer. Defensive Line 4: Reverse Proxies Incorporating reverse proxies as the next line of defense is primarily due to the fact that these technologies are fully capable of providing considerable amounts of protection for downstream web applica‐ tions. Using reverse proxies makes a great deal of sense because they are fully capable of providing a valuable fourth line of defense. In the early 1990s, organizations began to realize that some layer of protection was needed between the internet and its earliest users. The original devices, which today we call "firewalls," originally oper‐ ated as proxies. These proxies were used to provide some level of protection for users when they were perusing the internet. The proxies sent in requests to the internet on behalf of the user and provided a layer of segmentation between what is considered the "inside" of a network and what is considered the "outside." At some level, the concept of proxies within firewalls is still in use today. Proxies are designed to protect users from the internet; the concept of "reverse proxies" is just the opposite. Reverse proxies are designed to protect the internet from users. When reverse proxies are deployed in-line in front of websites and applications, they not only hide the IP address of the actual websites and residing applica‐ tions, they can protect them from users on the internet as well. We can embed many defensive mechanisms within reverse proxies. For example, reverse proxies are fully capable of consuming threat intelligence in the form of threat feeds, which include whitelists and blacklists. ACLs and firewall-like policies are also supported. Reverse proxies can support functionality that enable them to apply traffic and request rate limits designed to limit the amount of traffic Defensive Line 4: Reverse Proxies | 19

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth