Jeff,
| |
| Internet |
Corp A | | Corp B
| |
| |
| |
+---------------+ | | +---------------+
| System J |<===================================>| System K |
|(part of app Z)| | "X protocol" | |(part of app Z)|
+---------------+ | | +---------------+
| |
| |
| |
| |
| |
A's Security B's Security
Perimeter Perimeter
| |
| |
+---------------------------- Span of App "Z" -------------------------+
#..that having proxy support (in perimeter security systems) for a given
#protocol, such as "X", is desirable. What if some folks in your company
come
#to you wanting to deploy an app such as "Z", using new protocol "X" which
#doesn't yet have off-the-shelf proxy support? Is that necessarily a
#showstopper (from your perspective)? Would folks be willing to roll their
own
#proxy (at least to get going) as Bill hints? Or might early deployment
trials
#and phases be run over an open pass-through port, with proxies being
#incorporated as such support for protocol "X" emerges?
The issue here is that they are making connections into your network. If I
was running security at corp B then I would place system K on a DMZ(in this
case a third network card off of the firewall) and allow internal people
who needed access to system K to connect to it through the firewall. I
would prefer a real application layer proxy for protocol X since I cannot
"roll my own" complete with application layer checks but I would use a
generic proxy to pass it to the dmz.
#So, it seems to me, layering app protocols such as "X" on SOAP-over-HTTP
isn't
#necessarily a panacea for "going through firewalls" -- those of you who're
#running HTTP proxies will likely easily notice SOAP going through port 80,
#though in {some | many?) cases you'll have to configure stuff to
explicitly
#look for it (yes?).
I would not allow HTTP connection that are generated externally through my
firewall to the internal network, either. I also would run an application
layer HTTP proxy that denies SOAP. Since I know that protocol X is only
used in this one instance I am much more likely to allow it through than to
allow through something like SOAP that can be used for more than just
communications by app Z.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
