Firewall Wizards mailing list archives
visigenic visibroker protocols through firewalls
From: Rudolf Schreiner <ras () muc de>
Date: Sun, 22 Mar 1998 19:11:50 +0100 (CET)
Jyri Kaljundi wrote:
Does anyone have any information about how to let VisiBroker protocols (some kind of Java ORB IIOP protocol, to build Java client-server applications, made by company called VisiGenic www.visigenic.com now owned by Borland) through firewalls?
Visigenic has a product called Gatekeeper for this purpose. IMHO it is a gate without lock.
Are there specifications for how the protocols work, what must be opened to let them through?
Gatekeeper supports/uses IIOP, IIOP over HTTP and as option SSL. IIOP is a normal TCP protocol, you can configure the port. Filtering is no problem, but doesn't give much protection.
We are using address translation and I am afraid it might be so that the protocols embed IP numbers inside the packets, so when client connects to server, the server tries to connect back to clients internal address (client in internal net, server in DMZ).
I never tried IIOP with NAT. You are right, the problem is finding the right object. I checked IORs of two different ORBs, OmniBroker uses the fully qualified hostname, Visibroker the IP address. It's no big problem to change the IP address in an IOR, but IMHO it's an evil hack. You don't know what it will break later, for example if you add a second server. An IIOP proxy should have no problems with NAT because it doesn't use it. Proxies always have to deal with two IORs. CORBA over a firewall is quite simple. The BIG problem is to do it securely. The Gatekeeper itself doesn't give you any security at all, it's a simple proxy without access control or authentication. In the manual Visigenic recommends using a packet filter. We all learnt years ago that authentication based on an IP address is not the best idea. There is an optional SSL product, but it does help not that much. It gives you (more or less, depending on your country) strong authentication of the principal and protection of your IIOP connection, but does not solve the more complex problems of distributed systems, e.g. privilege delegation. It is not compatible with the OMG Security Service, too. IMHO SSL is a quick'n dirty hack. Another IIOP proxy is Iona's Wonderwall. Iona's products have some very interesting security features, but mixing ORBs might be not the best idea now. CORBA firewalls are immature. Even worse, CORBA security is still quite immature (but ActiveX/DCOM has no security at all...). The Security Service is very new, implementations are rare and depend on complex security mechanism, so the development of secure CORBA systems even in an IntraNet is hard. Gateways between different security domains (firewalls) are not explicitly specified in Security Service because it's still a research topic. (For example TIS's project Sigma) Today secure CORBA systems are possible, there are some around. But expect problems. Rudi
Current thread:
- visigenic visibroker protocols through firewalls Jyri Kaljundi (Mar 18)
- Re: visigenic visibroker protocols through firewalls Justin Mason (Mar 19)
- <Possible follow-ups>
- Re: visigenic visibroker protocols through firewalls Jeremy Epstein (Mar 18)
- visigenic visibroker protocols through firewalls Rudolf Schreiner (Mar 22)