Extra Security Features of the Exit-Control Scheme
The exit-control server can provide additional services in addition to guarding the exit. However, it's important to be careful. The goal of this technique is simplicity. In the extreme, if the exit-control server mimics the behavior of the entire web server, it becomes as insecure as the server. However, certain features can be added pretty easily with little or no cost to security. Since the box sits between the web server and the Internet, it can serve as a backup for content that's requested when the web server is down. For example, if a user requests http://my.organization.com/cartoons/today.html and the web server is down because of an attack or even for maintenance, the exit-control box can recognize the request and see that a previous user has already requested this URL. If the box stores content for some time, it can act as a simple cache and return the previously stored value. Of course, there are consistency issues that need to be addressed, but in many cases getting something that's a little old is better than not getting anything at all. This caching can also be useful if the web server has been hijacked. A user requests a particular URL. The exit-control box recognizes that the content has been modified because the fingerprint doesn't match. So, instead of serving the hijacked content, the box can serve the correct content.
The bottom line is that once you put a box at the exit point of your web server, there are several things that you can do. Protecting against hijacked content is probably the main service. Providing backup for some static content is useful as well. And finally, separating security from functionality is always a good thing, and the exit-control strategy is right on the mark.
A fundamental concept in computer security is the notion of a trusted computing base (TCB). The idea is to keep the TCB, which is the security-critical part of a system, as small as possible, and to exhaustively examine and test it. The rest of the system contains functionality, but nothing that's critical for security. Exit control, in a sense, moves the TCB out of the web server, to a simpler box mostly running code that has been widely examined for security. This represents a step in the right direction.