• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Proxy within DMZ and Proxy begind the firewall

Is there any advantage to providing a proxy server within the DMZ, as opposed to putting a proxy behind the firewall and sending out only through ports enabled by the firewall?

In other words, in one configuration, you put your app behind a firewall, and your proxy server in the DMZ.  

In the other scenario you put the app behind the firewall, but a proxy begind the firewall as well.

Why would the first method (proxy in the DMZ) be better than the second?

njd
0
Anthony Lucia
Asked:
Anthony Lucia
1 Solution
 
Anthony LuciaAuthor Commented:
By better I mean more secure
0
 
gheistCommented:
Ar we talking about proxy or reverse proxy here?
0
 
arnoldCommented:
"More secure "

The difference is as follows in DMZ configuration, if the proxy is compromised, the access an intruder will have is the same as the proxy would. Usually meaning it will have a limited access to a server for which it provides services.

In a firewall port forwarding to a proxy on the LAN, a compromised proxy server provides full access to the LAN on which it runs.

DMZ.                          /    DMZ <=> system
Internet <=> firewall <=>  LAN
The firewall will govern what requests from a system on DMZ will be allowed

No DMZ
Internet <=> firewall <=> LAN included the system reverse proxy


DMZ is commonly used, its implementation functionality and scope varies by the capability of the firewall used.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now