Information Technology Reference
In-Depth Information
Using a Reverse-Proxy Device as a Common Interceptor
Another approach we considered was to centralise the interception function
through a reverse-proxy that is set up to intercept access to all web
applications in the network. This has several architectural advantages, the
most important being its guarantee of protection to all applications in the
network at a single stroke. While software-based proxies face concerns of
being potential performance bottlenecks, there is a class of hardware
devices that are quite performant and effective in this role.
The diagram below illustrates how a reverse proxy device could work as a
common interceptor.
Fig 34: Reverse proxy
However, we faced two problems with this design, a minor one and a major
one.
The minor problem was that very few of the devices we surveyed had
support for the CAS protocol. A couple had support for Kerberos, which
would also have been acceptable. However, the programming models were
quite limited and could have constrained the development of customised
logic, which was a definite requirement.
This constraint could also have been worked around, but in any case, the
major problem that stymied this approach was cost, specifically the initial
outlay required.
A reverse-proxy device of the required capability and acceptable quality
costs about $100,000 at the time of writing. We would have had to deploy
