8 Reasons Why You Should Use a Reverse Proxy in Your DMZ
Overview
Why use a reverse proxy? By placing a reverse proxy in your DMZ, you can move your file transfer servers to your internal network where they will be less vulnerable to attacks from the Internet. But that's just the tip of the iceberg. There are still more benefits of using a reverse proxy you might not be aware of.
1. Creates a single point of access to your file transfer servers
For as long as you've configured your firewall and reverse proxy correctly, no one should be able to gain direct access to any of your file transfer servers. Everyone has to pass through the reverse proxy. When that happens, you can focus monitoring over what goes in and goes out through the reverse proxy.
2. Simplifies access control tasks
Because you only have a single point of access, you can concentrate access control on that single point. For example, instead of specifying on every single server what IP addresses should be allowed to connect, you can simply create a set of IP access rules on your reverse proxy. If a user attempts to connect from an unauthorized IP, that attempt can immediately be terminated by the reverse proxy.
3. Moves user credentials to a safer place
Most user credentials are just stored on the file transfer servers themselves. So if your file transfer servers are placed on your DMZ, a highly-motivated attacker may easily get a hold of them. By moving your servers into your internal network and deploying a reverse proxy to control access, you can provide better security to those credentials and, consequently, to the data they protect.
4. Reduces risks to sensitive data
Considering the broad range of information we regularly share with business partners, customers and field employees, I'm pretty sure some of that information are not for public consumption. I'm sure you wouldn't want personal information, trade secrets, prototype blueprints, payroll spreadsheets or financial data to leak out to the public or fall into the wrong hands.
But if your file transfer servers are in your DMZ, all that confidential data stored in their hard drives are going to attract identity thieves, corporate spies, fraudsters and other crooks. One way to mitigate that risk is to deploy a reverse proxy.
With a reverse proxy, you will gain the option of moving DMZ-based file transfer servers to your internal network where they will be less vulnerable to attacks.
5. Helps achieve regulatory compliance
A number of de facto standards and government-imposed regulations do not allow storage of data in highly vulnerable areas like the DMZ. The PCI-DSS (Payment Card Industry - Data Security Standard), for example, explicitly requires credit card information to be stored in internal networks segregated from your DMZ.
But what if you want to share sensitive data with organizations, such as trading partners, who don't have access to your internal network?
One solution that's within bounds of regulatory requirements would be to place a reverse proxy in your DMZ and allow your trading partners to connect to your back-end servers securely through that. Using special reverse proxy technologies like DMZ streaming, you can share sensitive information with external partners even without putting the information on the DMZ or granting direct access to your back-end servers.
6. Brings down capital and operational expenses
Let's revisit the problems raised in items #4 and #5 of this list. One of the traditional solutions to these problems is to install two sets of servers. One set on the DMZ to cater to external clients and another set to cater to internal clients. The downside of this solution is that it's obviously very expensive and, since you need to administer both sets of servers, it introduces additional burden to your already overloaded administrators.
If you use a reverse proxy, you won't have to set up two sets of servers. All your servers can be placed in your internal network and they can serve both your internal and external clients.
7. Allows transparent maintenance of backend servers
Changes you make to servers running behind a reverse proxy are going to be completely transparent to your end users. Even if you take down one of your secure file transfer servers (assuming it belongs to a cluster) for maintenance, upgrade, or replacement, your end users won't notice it.
8. Enables load balancing and failover
Reverse proxies like JSCAPE MFT Gateway already support high availability methods like load balancing and failover. This will allow you to eliminate downtime and increase productivity. In most cases, you would typically set up a cluster and add file transfer servers to it. The reverse proxy will then enforce a load balancing algorithm like round robin, weighted round robin, least connections, weighted least connections, or random, to distribute the load among the servers in the cluster.
When a server goes down, the system will automatically failover to the next server up and users can continue with their secure file transfer activities.
Summary
In this post, we presented you a number of benefits that can be gained from deploying a reverse proxy. Although most of those benefits amount to enhanced security, there are a couple of those (particularly 6 to 8) that translate to cost savings, better end-user experience, and enhanced BC-DR (Business Continuity - Disaster Recovery) capabilities.
Experience the benefits of a reverse proxy for FREE
JSCAPE MFT Gateway Reverse Proxy & Load Balancer comes with a free, fully-functional evaluation edition which you can download right now.