Third-party security professional is recommending we run a reverse proxy in front of the web server (all hosted in the DMZ) as a best practice security measure.
I know this is a typical recommended architecture as it provides another level of security in front of a web application to prevent hackers.
However, as a reverse proxy is cheerfully shuttling HTTP back and forth between the user and the internal web server, it will not provide any measure of prevention of hacking on the web server itself. In other words, if your web app has a security hole, the proxy is not going to provide any meaningful amount of security.
And given that the risk of an attack on a web application is much much higher than that of an attack on the proxy, is there really much gained by adding an extra box in the middle? We would not be using any of the caching capabilities of a reverse proxy - just a dumb tool to shuttle packets back and forth.
Is there something else I'm missing here? Has reverse proxy HTTP packet inspection got so good it can detect meaningful attacks without major performance bottlenecks, or is this just another example of Security Theater?
Reverse proxy is MS ISA fwiw.