On 19/06/06 22:18 -0400, Paul D. Robertson wrote:

> That's been true of every new protocol in the last 6 or 7 years, if not
> longer. If you're going to let users install things, you're going to have
> to deal with it. Software restriction policies, ACLs, etc. You can't
> give up control of the end platform, then expect to get decent security
> by blocking arbitrary ports.

Also, a lot of people have problems with corporate policies not allowing
the opening of ports, or too bureaucratic procedures for doing so. They
can generally expect that HTTP will be open, and hence the desire to
run everything over HTTP. What we need is a proxy which will analyse
HTTP traffic content, and filter _that_.

I mean that we need a proxy which will analyse the contents of the XML
request, and then allow or deny based on that.

If you think this is bad, consider SOAP. XML over HTTP, so no new ports
have to be opened (yay! it just works!). And the XML is a wrapper around
an entirely new protocol, which would at one time have needed a separate
port (and hopefully, a proxy).

Now with application writers deciding that supporting so many platforms
is hard and writing web applications, we have a system where the OS is a
browser, code is dynamic (Javascript and AJAX, anyone?) and all code is
tunneled over a protocol with holes you could drive a truck (or two)
through (HTTP).

Firewalls are turning into a joke here. If you were worried about
tunnels, now start worrying about tunnels in tunnels.

Devdas Bhagat
firewall-wizards mailing list