Have you ever questioned the security best practices?
In the process of building / designing the infrastructure for a new project the following question was asked: “shouldn’t we use a reverse proxy to secure or protect the web servers?” Of course the first question I asked myself is “do reverse proxies provide real security?” or is this a best / common practice that has been adopted without foundation?
I worked with some fellow security experts to measure if the use of Reverse Proxies actually provides better security than exposing your web servers directly.
We used the OSSTMM 3 as the basis for the testing so we could measure the Attack Surface. Even though, measuring the Attack Surface with RAVs (the method outlined in the OSSTMM) seems complicated at first, it is actually pretty straight-forward once you understand the concepts.
The results of this research can be found in this paper. It also serves as a good tutorial on how to use the RAVs to measure the security of any scenario.
12. June 2013 at 17:31
Going to have OPST next week and found this work really useful. Thanks
28. June 2014 at 22:47
Beautiful demonstration, Pablo – thanks. Papers like this really clarify the OSSTMM.
30. June 2014 at 10:04
Hello, the link to the paper is bloken, could you please fix it? I really am interested in the results of yourresearch! 🙂 Thanks-
1. July 2014 at 8:36
Link should be working now. Thanks for reporting it.
4. January 2015 at 17:01
should we choose one of five channels? in my case i choose data network channel an dignore the others? and should we finish one by one of all task?
23. February 2015 at 21:52
You can decide to use test or analyse just one channel as you did, justmake sure to document it appropriately.
27. February 2015 at 18:50