On Wed, 5 May 1999 [EMAIL PROTECTED] wrote:
> I have a request pending to allow IIOP through a proxy firewall gateway
> using a generic TCP proxy.
I'm using different TCP level gateways as IIOP firewalls, too. From simple
many-to-one mapping (like plug-gw, but self written to avoid license
problems) to complex transparent proxies supporting many-to-many mapping
with callbacks, and controlled by the server and client objects.
> I would welcome comments about the security
> implications of allowing IIOP through the firewall gateway, especially if
> anyone knows of exploits using IIOP as the means of entry.
IIOP is not a real application protocol, it's just "middleware". The
security of IIOP mainly depends on your specific application.
First of all you should encrypt your requests, for example with IIOP/SSL,
to protect against some low level attacks.
The TCP level gateway does not protect you from any attacks in the IIOP
requests themselfs. If a client can connect to the server it can invoke all
operations on all objects listening at this server socket. If you need
authorisation or ACLs your application has to do it by itself. An
attacker could also try a buffer overflow in your application or the ORB.
Rudi
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
