undefined | Better HN

0 pointsev14y ago0 comments

They are generally exposed through a proxy that sits in between. If you don't authenticate, you can't send a request to it at all.

(This is opposed to the lazy model, where your aplication is fully exposed to the web and you click log in and it redirects to SSO - if there is a vulnerability that doesn't require authentication you're already compromised)

The proxy will handle sign in and passes traffic to/from the webserver backend, and you should not be able to send a single HTTP request to the underlying application without the proxy capturing authentication and who the user that sent the request was.

0 comments

PaulWaldman4y ago

Do these proxies encrypt the traffic? Since they would handle authentication, I am guessing encryption is used. We may be getting into semantics, but at that point, is there much of a difference between a proxy and a VPN?

I had the impression that in a zero trust environment all apps are required to be hardened to the point that they are deemed safe to be exposed to the publc internet.

cheschire4y ago

VPNs are a very different technology. The amount of network traffic alone is a huge difference.

You may be confusing inbound and outbound proxies. If an inbound proxy is put in front of a server, it is able to be extremely hardened without exposing the webserver, and only allows traffic in extremely limited ways. This frees up the webserver to be more open to the internal network, obfuscates information about the webserver to outsiders, etc.

You may be thinking of an outbound proxy where all of your web requests travel through it in order to provide web filtering, protected DNS, and other protective services to internal endpoints and clients that are already on your network.

A VPN is a much deeper connection than an inbound proxy. It typically requires the external endpoint to be trusted, which is the complete opposite state of an endpoint connecting through an inbound proxy. It then allows the endpoint to operate from a position of trust within the whole internal network. Patches can be updated, endpoints can communicate with each other, and the full network traffic of the endpoint routes through the network. With a VPN you even wind up going through the outbound proxy typically!

YMMV though, not every org is setup exactly like this. I’m making gross generalizations about things. Definitely do some web searches on the differences.

j / k navigate · click thread line to collapse