I should note that I don't speak in any official or
representative capacity..
I'm not sure what your question is.. (other than the fact that
our presenters don't understand the intricacies of firewalls,
no surprise there.)
Is it: Does everyone else think this is really evil to send
code across HTTP?
Or is it: Hey, this is cool... we don't have to request firewall
changes to allow our stuff onto other people's networks!
I mean that not sarcastically, but seriously. I've had our
developers ask me (me being the Sybase firewall guy)
what technical tricks can be done to get a new toy
to work with firewalls. I told them that they either had to get
the firewall admins to allow particular ports and protocols,
or they had to redesign to run over some universally allowed
protocol, such as HTTP.
So, possibly some small protion of the blame is mine.
We weren't the first to use HTTP as a transport protocol,
and we won't be the last. I don't know if that is an excuse
for anything or not.
Little can be done to prevent your internal users from
doing things that aren't neccessarily a good idea.
Perhaps Sybase is at fault for contributing to this.
If people are really interested, I'll pursue how to intentionally
break our product using firewall X for a couple of popular
firewalls.
Ryan
Greetings,
I recently attended a conference at which Sybase demonstrated their
latest application server product, which they call Enterprise
Application Server. It manages and distributes server objects such as
CORBA, COM, Java, and native PowerBuilder objects for use in distributed
applications. Obviously, this activity requires a client-server
connection using some kind of protocol. I began to get a queasy feeling,
so I interrupted their enthusiastic demo with a question about what had
been done to address the inevitable firewall issues. They stared blankly
at me for a few seconds, and then asked me what I meant. I explained
that if I wanted to deploy an application based on their product, I
would need such information so that I could "negotiate" intelligently
with the client's network admins. More staring. Finally, one of the
reps. explained that their setup will attempt to talk using its native,
proprietary protocol. If this fails, it tries again, tunneling via HTTP.
I didn't ask what happens if that fails, since I was getting dirty looks
from those sitting around me, who had apparently come for a pep rally.
But the reps. seemed to think it strange that any admin would have a
problem with multitudes of binary payloads being tunneled through their
carefully tended security.
Any comments?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
