On Tue Jun 15 11:13:12 2010, Matthew Wild wrote:
On 15 June 2010 10:49, paddy joesoap <[email protected]> wrote:
> Regardless of encrypted layer-7, there are some synergies between
XMPP
> and iptables firewall when providing security in-depth.
> 1) XMPP IP address whilelist, firewall source IP address filtering
I'd be surprised if there aren't any XMPP servers that can already
do
this, but yet I'd agree it's a job best done by the firewall.
Isode M-Link has some capability to check the IP address of
connections from certain domains, so you could, for example,
configure it to only accept jabber.org domains from hermes.jabber.org.
This kind of thing needs XMPP knowledge, so is best done in the
server itself.
> 2) XMPP requires certain ports to be open, firewall open required
> ports for required protocols (application alignment with
> infrastructure)
Yes, external firewall.
Note that for outbound S2S, XMPP can potentially use any port. We
have seen "issues" with corporate firewall folk not wishing to open
up anything more than 5269 outbound.
> 4) XMPP does not perform IP address anti-spoofing, firewall
> prevents/reduces anti-spoofing attempts.
For s2s connections (clients already authenticate with credentials,
so
it's not as much of an issue) XMPP uses dialback to prevent
spoofing:
http://xmpp.org/extensions/xep-0220.html
Obviously as I noted before, this is dependent on DNS being correct.
Anything you can deploy externally would help make the dialback
checks
more secure.
I think he's referring to IP-level spoofing. XMPP being entirely TCP,
this is somewhat difficult to achieve in practise, and is largely
down to the OS's TCP security.
That said, the moment you have any TLS at all in place (including
unauthenticated ADH, say) then my understanding is that IP spoofing
is no longer practical.
I use (and develop) Prosody. I should probably mention that I've
been
working on something the past few weeks that might interest you -
it's
essentially a Prosody module that handles most of what we've been
discussing. The best way to describe it is probably "iptables for
XMPP", as it lets you define custom rules for handling/routing
stanzas, based on their header, contents, origin and other things.
I'm
away this week, but was planning to release it next week when I get
back.
FWIW, Isode M-Link - which I develop and run - will strip out certain
sub-elements of stanzas, and require them, on a per-domain basis.
This isn't a firewall feature as such, it's intended more for
dropping data that's not needed or wanted, for information security
or bandwidth reasons - for example, you can strip out the <status/>
from presence to avoid information leakage, or require that any
<message/> must have a <body/> to restrict message traffic to simple
IM.
It wouldn't surprise me at all to discover there are similar controls
available for most servers.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
