Firewall Wizards mailing list archives

Re: Microsoft invents SOAP

From: Neil Ratzlaff <Neil.Ratzlaff () ucop edu>
Date: Fri, 29 Oct 1999 10:18:33 -0700

I like this sentence:

"Firewalls, provided by products such as the Microsoft® Proxy Server, can
block
incoming traffic based on various criteria and thereby increase an
organization's confidence in the security of its systems."  Linking M$
promoting their product with the implication that confidence is increased
without claiming that security is increased.

They seem to equate a firewall with router packet filtering capabilities
(except for M$ Proxy Server, which they also think is a firewall). So they try
to get around this archaic assumption by tunneling DCOM through the firewall
masked as http.  Next thing we know, Doubleclick will be using this to sneak
their banners past the firewall blocks.

Based on Microsoft's record, I am leery of DCOM, but I don't work with it so I
don't know how dangerous it can be.  I just couldn't resist the first
comments.

Neil



At 08:39 10/28/99 -0500, Hardcastle, Kevin wrote:


I will start with a link to published propaganda.

http://msdn.microsoft.com/xml/general/SOAP_White_Paper.asp

Microsoft has replace DCOM with SOAP (Simple Object Access Protocol) for
e-commerce development.  DCOM had many shortcomings when trying to
communicate through firewalls, they never really understood how NAT worked.
This tool set allows DCOM objects to basically be encapsulated inside http.
Their suggestion is to open a port 80 proxy from your webserver(s) to your
application server(s) on the inside.

InternetWeek claims this is potentially dangerous and serious security flaw.
Though doesn't elaborate on the details.

I pose this question to the group, what are the potential dangers of
tunneling DCOM objects or in essence an application through a well known
port (http).  I am assuming an application proxy based  firewall with a
standard inbound port 80 wrapper.  Locked down from the IP of web server to
the IP of application server.  The application server must be aware of the
payload and be able to strip it out of the http tunnel and execute it.

Thanks for your input.

Kevin Hardcastle
Information Security Group
Alliance Blue Cross Blue Shield

Current thread:

Microsoft invents SOAP Hardcastle, Kevin (Oct 28)
- RE: Microsoft invents SOAP Phil Cox (Oct 29)
- Re: Microsoft invents SOAP Neil Ratzlaff (Oct 29)
- <Possible follow-ups>
- RE: Microsoft invents SOAP Scott, Richard (Oct 29)
- RE: Microsoft invents SOAP sean . kelly (Oct 29)