Firewall Wizards mailing list archives

RE: RPCs over HTTPS through the firewall

From: "Ben Nagy" <ben () iagu net>
Date: Tue, 22 Apr 2003 10:54:10 +0200

No.

ben

(more below)

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of david singleton
Sent: Monday, 21 April 2003 7:18 PM
To: firewall-wizards () honor icsalabs com

Microsoft's Outlook 11 can envelope its RPC traffic in HTTPS 
and thereby go through the firewall on port 443 to connect to 
the Exchange server.

Is this thought to be anymore risky than conventional port 
443 traffic?

David



There are several ways I look at this. 

First of all, it's way better to encapsulate something as icky as RPC if
you're going to send it through the Big Wide Internet. Especially in SSL,
since it's mostly secure. (Anyone know if MS do RSA blinding in their
default crypto library?)

Second, in some ways this should make FW guys happy, because previously we
had to jump through many hoops to make MS stuff talk RPC through firewalls,
whereas SSL an at least be controlled via a single port, and using TCP
state, at the least.

Finally, "conventional" port 443 traffic basically contains unsecured,
unsecureable rubbish, passing through the firewall encrypted, so that it's
all one Big River of Risk as far as an admin is concerned. Does it matter
much if we add RPC to the sludge? Nnnnnnnope.

Allowing SSL traffic to pass encrypted through the firewall is always going
to be a compromise between user privacy and the risk of 3v1l 5tuph being
tunneled through the firewall. The technology does exist, in a clumsy way,
to read the traffic. Most businesses have, either through design or
laziness, chosen privacy. 

(PLEASE let me be spared the rant here about how "businesses have a right to
read all their employee's traffic" - it's incorrect, even in the more insane
legal climates on the planet, it's really a question of philosophy, and it
isn't really relevant ;)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RPCs over HTTPS through the firewall david singleton (Apr 21)
- Re: RPCs over HTTPS through the firewall Volker Tanger (Apr 22)
- RE: RPCs over HTTPS through the firewall Ben Nagy (Apr 22)
  - RE: RPCs over HTTPS through the firewall Mark Tinberg (Apr 25)
    - RE: RPCs over HTTPS through the firewall Ben Nagy (Apr 25)
    - RE: RPCs over HTTPS through the firewall Gwendolynn ferch Elydyr (Apr 25)