Solution Overview

The goal of ProxyPass is, quite simply, to protect members-area websites against brute-force password cracking attempts, password violations, and bandwidth spikes. ProxyPass performs these functions so well, in fact, that our customers experience the following benefits:

  • decreased server loads, bandwidth, and downtime
  • decreased sysadmin labor time and server TCO
  • decreased stolen content and compromised passwords
  • increased system performance and member satisfaction

Architecture

ProxyPass is a highly optimized C module that armors the authentication and authorization routines of an Apache server. The software supports both multiple virtualhosts on a single server and clustered domains that are load-balanced across many machines. ProxyPass is broadly customizable with an easy-to-use and finely-scopable directive syntax that conforms to the Apache config standards. This allows an administrator total control over detection thresholds and denial behavior. And, of course, ProxyPass detects and defends single servers and load-balanced clusters against the following:

  • cracking attacks tunneled through open proxies and drones
  • cracking attacks from single-source or distributed networks of non-proxy IPs
  • compromised accounts used by too many people, across too many IP subnets or countries
  • site scraping by rapidly downloading all protected content

Key Features

With each successive ProxyPass release, our developers work closely with customers to provide them new, widely-desired features without sacrificing the underlying fundamentals of rock-solid stability and minimal client performance impact. To showcase just a few customer favorites from our rich feature set, please consider the following:

Nominal Performance Impact: Rigorous testing and real-world deployments have shown the memory, CPU, and bandwidth requirements of ProxyPass will -not- adversely impact your system. The ProxyPass client module uses an extremely fast, C architecture that is completely resident and configurable on your servers. It is not a "hosted" script, nor dependent on network transactions with our centralized servers to operate correctly. This ensures a robust defense, and a fast surfing experience for your members. In fact, during strenuous, real-world attacks, ProxyPass outperforms competitive products over 10x. For some customers, ProxyPass has decreased the system load averages under heavy attack nearly 50x! Please see the News section for customer testimonials and quantitative proof.

"Intelligent" Proxy & Drone Defense: Using our custom "Secure Level" approach, administrators have fine-grained control over the handling of open proxies and drones (see FAQ). Options include: immediate denial, selective denial based on behavior thresholds, and selective denial if the system is in a pre-defined, "under-attack" state. And by sharing in our large, up-to-date database of information about abused proxies and drones, ProxyPass clients gain the proactive benefits of finding out about problem IPs that have attacked others before they become a problem.

Optional CAPTCHA Features: ProxyPass natively includes features for HTML form-based logins, while remaining fully compliant with Apache authentication standards. This can replace the typical, grey popup dialog box with a "skinnable" login form that includes an optional "captcha" input. Here is a simple example. And unlike competitive products, ProxyPass' captcha functions do -not- require additional scripts or changes to your members area links, authentication framework or members management system. ProxyPass is always fully compatible with standard authentication features such as multiple authentication realms per domain or authorization groups. And although captcha-type challenge systems are not foolproof (see FAQ), they provide an additional tool in the ProxyPass arsenal when defending against brute-force attacks.

Enterprise-Class Clustering: For Apache clusters serving up load-balanced domains, ProxyPass has an immediate advantage over competitive products: it can quickly propagate threshold and block information across all nodes, a tremendously important point for clustered setups. Without it, websites experience "partial-denial" problems: a block exists on only part of the cluster while unnecessary effort is wasted to detect attacks on each and every independent node. The ProxyPass admin tool also provides a "cluster-wide" perspective (i.e. block info, search capability) from any single node. For our larger customers with clusters of 10+ machines, this feature greatly reduces management overhead and complexity.

System Requirements

ProxyPass augments the security of existing authentication/authorization modules. Please note that the ProxyPass module does not do the password authentication/authorization control itself; rather it works alongside your existing modules. It is compatible with standard and custom authentication/authorization modules (e.g. mod_auth, mod_auth_db[m], mod_auth_mysql) that use Apache access, authentication, and authorization control phases. One of these modules must be installed and configured properly.

The ProxyPass module requires a UNIX-based, Apache server configured with dynamic shared object support (i.e. DSO, mod_so.c). ProxyPass is compatible with Apache 1.3.x, 2.0.x, and 2.2.x. ProxyPass has been deployed successfully on many UNIX variants (i.e. Linux, FreeBSD, Solaris, MacOSX) in both 32bit and 64bit flavors. The module is not currently available for WIN32 versions of Apache. Of course, ProxyPass also requires money.

Company  |  Privacy  |  Legal  |  Contact
Copyright © 2001-2018 Proxigence