I'm sure this issue must have come up before, but I've searched the archives and haven't found anything...
The issue: Traditionally different services have been exposed on different ports, and consequently a perimeter firewall has been able to shield specific services on the protected hosts simply by blocking packets destined to those ports. SOAP (and Web services generally) defeat this technique by overloading port 80 to expose a variety of services. Because SOAP has no real security model, poorly written handlers for SOAP requests represent a real security risk. Consequently it isn't sufficient to filter packets based on port. At the same time it doesn't seem to me that a proxy based approach is a sufficient response to the SOAP problem, partly because we may have legitimate reasons for allowing particular machines within our protected networks to receive particular types of SOAP messages, while blocking the same types of messages destined for other machines, and blocking other types of SOAP messages destined for the same machines. What I'm looking for is an open source (preferably GPL) project to build a proxy-type filter to interwork with netfilter so that packets addressed to selected ports can be buffered until enough information has been read to determine whether or not they are SOAP requests, and then, if they are, to filter them based on content details such as, for example, the XML namespaces declared. If there already is a project doing this, that's great, I want to join it. If there's some reason I haven't thought of why the project is either redundent or impossible, that's great, I'd like to know it. If it isn't redundent and it isn't impossible and no-one's yet doing it, that's great, I'll start one. Anybody? Cheers Simon -- [EMAIL PROTECTED] (Simon Brooke) http://www.jasmine.org.uk/~simon/ Morning had broken, and there was nothing we could do but wait patiently for the RAC to arrive.
