Why bother reverse proxying applications if you aren't using mod_security or TMG/UAG?
From the perspective of defense from attack, not filtering in/out data of course does not add anything of value. One could argue that proxying without forethought in fact lowers security in that:
- greater complexity is introduced, often with a vengeance.
- less transparency in that multiple log and alerting layers need correlation per transaction.
- attack surface increases through additional subsystems.
- greater diversification of systems increases the risk of human error.
- every system carries bugs which introduce uncertainties, proxies are no exception.
not to mention the wastes in technological resources (machines, storage, backup/restore etc).
On the other hand, there may be wins which relate to security in other ways:
- Load balancing and failover possibilities.
- Greater flexibility in the separation of access layer from service layer (i.e. easier to do maintenance, restructure etc).
- The future option to easily introduce filtering and whatnot without contention for system resources in the service layer.
- Separating other functions than simple attack signature filtering, such as rewrite logic or certain logging, for instance making for greater ease of configuration and lesser risk during change.
- Certain functions may be better documented or known on the proxy platform, giving greater over all stability and control or a lessening of unknowns through moving them away from the backend.
I'm sure there's more, this just from the top of my head.
There was a time that the default install of Apache simply had fewer known security holes than a default install of IIS; that alone was a security improvement.
Thus, it may have simply become tribal lore because it was once a best practice.