Firewall Wizards mailing list archives
Firewall Best Practice regarding XMPP traffic?
From: paddy joesoap <paddyjoesoap () gmail com>
Date: Tue, 15 Jun 2010 12:10:10 +0100
Hi all, In securing XMPP (Jabber, IM) servers, what best practice in your opinion should be used. Having consulted with the XMPP community, they tend to think of TLS communication channels only and thus a firewall becomes somewhat redundant from an XMPP perspective. That is, the XMPP server should handle authentication, deep packet inspection, IP address filtering and so forth. (Of course this is a simplistic view given a firewall helps prevent unprotected services hosted by the XMPP server from being exploited and it helps control DoS etc) However, are XMPP servers deployed in practice like this, where all that is required of the firewall is opening port 5222 for client-to-server communication and port 5269 for server-to-server communication where all traffic is over TLS. I'd imagine that some enterprises want to inspect at the firewall (or even by IDS) layer-7 packet payloads. For example, ensure a user with a JID of xyz () jabber org cannot send packets through the firewall or a particular malware signature or malicious Web URL that is embedded with IM conversations is blocked. In such scenarios, is it best practice to remove the TLS option and thereby loosing some proof of identify (certificates) in favour of deep packet inspection? Are there scenarios where an enterprise that is geographically spread who use VPN's such that they do not require TLS encryption on the XMPP servers? Rather, they are content that their VPN tunnel is providing adequate security coupled with DPI (Deep Packet Inspection) of the XMPP packets and layer 3 and 4 filter also at the firewall? While XMPP servers such as Openfire have TLS functionality end-to-end, are these used in practice by security administrators or is some of the communication desired in the clear for DPI. Presumably, by not fully considering a firewall chokepoint means that each XMPP service needs to be updated individually for new threats and there is also a certificate management issue. Presumably two XMPP servers that belong to two different enterprises would not share a VPN channel but use TLS enabled on the XMPP servers instead. Again, a firewall is not the silver bullet for every scenario ;-) Would there be scenarios where xmpp clients are not allowed to connect to the XMPP server except through a HTTP proxy (Perhaps the XMPP server ports are not externally accessible). For example, Linux iptables could be used to inspect the XMPP traffic not just at layers 3 and 4 but some rudimentary l-7 filtering. Any feedback on personal experiences/scenarios, is greatly welcomed. regards, Paddy. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall Best Practice regarding XMPP traffic? paddy joesoap (Jun 16)
- Re: Firewall Best Practice regarding XMPP traffic? K K (Jun 17)
- Re: Firewall Best Practice regarding XMPP traffic? paddy joesoap (Jun 17)
- Re: Firewall Best Practice regarding XMPP traffic? K K (Jun 17)