Matthew, > Considering that for the majority of their lifetime most XMPP streams > are encrypted and often compressed, iptables probably wouldn't be that > much help at L7-filtering in XMPP.
If the XMPP server ran a locally hosted iptables firewall perhaps then some additional traffic could be filtered. Federated Example: My understanding having looked briefly at the book entitled: "XMPP: The Definitive Guide", is that traffic from c2s is decrypted at the XMPP server, then encrypted again for s2s communication and then decrypted on the end XMPP server, before being encrypted once more from s2c. Perhaps some deep packet inspection can occur at times when the communication is passing through the XMPP servers. I also learn't from the book that the XMPP server may act as a relay/proxy for media such as SIP, Video and file sharing. Clients may also use p2p communication for these types of media. Are these communications encrypted? Perhaps, a company policy might be to prevent out-of-band XMPP communication to prevent the possible leakage for sensitive files via the XMPP relay service or p2p communication. Would a firewall be useful here? If packets could be inspected above the usual IP and Transport layers, then iptables could use modules such as "string match", "L7-Filter" and "U32 module" to filter out worm and SPIM signatures. It could also filter our JID's, so that a certain user cannot access the outside world over XMPP. As far as I know, XMPP has some sort of JID user filtering for this, but including the firewall adds defense in depth. > > I'd say the main weak point in XMPP's defences (at the moment) is DNS. > Since few servers have certificates signed by a CA, and many servers > don't check anyway, XMPP is very dependent on DNS being correct. And DNSSEC is not implemented in practice either. Perhaps a set of firewall rules that ensures that clients and/or the XMPP server can only make DNS queries to a certain IP address of the internal DNS server, might be of use. What I am trying to do is tease out the threats to XMPP servers (and clients) and how best firewalls can add value at the: (1) IP layer (2) TCP/UDP layer and the (3) Application XMPP layer. I guess (1) and (2) are common across all servers, for example packet/connection limiting, making sure only the required XMPP ports are open on the firewall and so forth. > > Matthew >
