Damn reply button (*mutter*)....
Simon Brooke said: > I'm sure this issue must have come up before, but I've searched the > archives and haven't found anything... > > The issue: > > Traditionally different services have been exposed on different ports, > and consequently a perimeter firewall has been able to shield specific > services on the protected hosts simply by blocking packets destined to > those ports. When companies say "works with firewalls" I think they mean "works *through* firewalls". It serves as a reminder that security is a process and not just a technology (like a firewall). > SOAP (and Web services generally) defeat this technique by overloading > port 80 to expose a variety of services. Because SOAP has no real > security model, poorly written handlers for SOAP requests represent a > real security risk. Consequently it isn't sufficient to filter packets > based on port. > At the same time it doesn't seem to me that a proxy based approach is a > sufficient response to the SOAP problem, partly because we may have > legitimate reasons for allowing particular machines within our > protected networks to receive particular types of SOAP messages, while > blocking the same types of messages destined for other machines, and > blocking other types of SOAP messages destined for the same machines. > > What I'm looking for is an open source (preferably GPL) project to > build a proxy-type filter to interwork with netfilter so that packets > addressed to selected ports can be buffered until enough information > has been read to determine whether or not they are SOAP requests, and > then, if they are, to filter them based on content details such as, for > example, the XML namespaces declared. Are you sure you want to do this at the netfilter level. Netfilter will allow you to redirect packets through a user space handler but that seems ineffiecent if your dealing with volumes of traffic. Why not just deal with it at the application level with a proxy type solution and leave netfilter out of this particular loop? Maybe there is something you could do with squid? > If there already is a project doing this, that's great, I want to join > it. If there's some reason I haven't thought of why the project is > either redundent or impossible, that's great, I'd like to know it. If > it isn't redundent and it isn't impossible and no-one's yet doing it, > that's great, I'll start one. I've seen it mentioned on a GNU mailing list somewhere. Try checking out freshmeat and sourceforge first? Alex www.bennee.com/~alex/ Alex www.bennee.com/~alex/
