visigenic visibroker protocols through firewalls

[Rudolf Schreiner <ras () muc de>]

Jyri Kaljundi wrote:

> Does anyone have any information about how to let VisiBroker protocols
> (some kind of Java ORB IIOP protocol, to build Java client-server
> applications, made by company called VisiGenic www.visigenic.com now
> owned by Borland) through firewalls? 

Visigenic has a product called Gatekeeper for this purpose. IMHO it is a
gate without lock.

> Are there specifications for how the protocols work, what must be opened
> to let them through?

Gatekeeper supports/uses IIOP, IIOP over HTTP and as option SSL.
IIOP is a normal TCP protocol, you can configure the port. Filtering is no
problem, but doesn't give much protection.

> We are using address translation and I am afraid it might be so that the
> protocols embed IP numbers inside the packets, so when client connects to
> server, the server tries to connect back to clients internal address
> (client in internal net, server in DMZ). 

I never tried IIOP  with NAT. You are right, the problem is finding the
right object.
I checked IORs of two different ORBs, OmniBroker uses the fully qualified
hostname, Visibroker the IP address. It's no big problem to change the IP
address in an IOR, but IMHO it's an evil hack. You don't know what it will 
break later, for example if you add a second server. 
An IIOP proxy should have no problems with NAT because it doesn't use it.
Proxies always have to deal with two IORs.

CORBA over a firewall is quite simple. The BIG problem is to do it
securely. The Gatekeeper itself doesn't give you any security at all, it's
a simple proxy without access control or authentication. In the manual
Visigenic recommends using a packet filter. We all learnt years ago that
authentication based on an IP address is not the best idea. There is an
optional SSL product, but it does help not that much. It gives you (more
or less, depending on your country) strong authentication of the
principal and protection of your IIOP connection, but does not solve the
more complex problems of distributed systems, e.g. privilege delegation.
It is not compatible with the OMG Security Service, too. IMHO SSL is a
quick'n dirty hack.

Another IIOP proxy is Iona's Wonderwall. Iona's products have some very
interesting security features, but mixing ORBs might be not the best idea
now.

CORBA firewalls are  immature. Even worse, CORBA security is
still quite immature (but ActiveX/DCOM has no security at all...). The
Security Service is very new, implementations are rare and depend on
complex security mechanism, so the development of secure CORBA
systems even in an IntraNet is hard. Gateways between different security
domains (firewalls) are not explicitly specified in Security Service
because it's still a research topic. (For example TIS's project Sigma)

Today secure CORBA systems are possible, there are some around. But expect
problems.

Rudi