Have you ever questioned the security best practices?

In the process of building / designing the infrastructure for a new project the following question was asked: “shouldn’t we use a reverse proxy to secure or protect the web servers?” Of course the first question I asked myself is “do reverse proxies provide real security?” or is this a best / common practice that has been adopted without foundation?

I worked with some fellow security experts to measure if the use of Reverse Proxies actually provides better security than exposing your web servers directly.

We used the OSSTMM 3 as the basis for the testing so we could measure the Attack Surface. Even though, measuring the Attack Surface with RAVs (the method outlined in the OSSTMM) seems complicated at first, it is actually pretty straight-forward once you understand the concepts.

The results of this research can be found in this paper. It also serves as a good tutorial on how to use the RAVs to measure the security of any scenario.