mercredi 9 juillet 2008

Proxies and DMZ

Since I will probably be talking quite a bit about proxies in the future, I thought I might as well give a small introduction :-)

Proxy

A Proxy is a system (computer, or software) that acts as a middle man between two systems (eg. two computers). One of these systems, called the client, wishes to gain access to a specific ressource (software, data, ...) that is present on another system (called the server). The client contacts a proxy, asking access to the ressource, then the proxy will ask the server for that ressource and will then forward the informations from that ressource to the client.

In the the eyes of a client who uses the proxy, every ressource is an individual entity. In the eyes of the server, there is no distinction made between the clients using one same proxy.

Reverse Proxy

In some cases (web services for instance) one same service can consist of several ressources that are spead amongst several servers. In order to present a single interface to the client, the provider of that service needs a system that will dispatch in-bound requests to the correct server. This is what a Reverse Proxy does: present several ressources as one single entity to the client. Also, since the reverse proxy is controlled by the provider of the service, additional security features can be implemented there, amongst other things (load distribution, data compression etc).

When using eID as a means to authenticate a user, the reverse proxy will manage the verification of the certificate.

DeMilitarized Zone (DMZ)

A service provider may not feel comfortable receiving queries from an external network directly on their internal network. Indeed, some information on their internal network may be sensitive data that the owner does not want to share with the world. Though still he wishes to allow the external network to have acces to some public parts of his network while still being able to access it from his secured internal network. This part of a network that is freely accessible to both the external network and the internal network is called a Demilitarized Zone (DMZ). Usually the DMZ is located between two firewalls, one which separates the internal network, and one which separates the external network.



Typically, in the case of web services, the reverse proxy will be located in the DMZ, while the application servers (containing the different ressources accessed by the service) will be located in the internal network.
Publié par jeango à 02:27

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)