Date: Wed, 24 Feb 1993 07:54:09 -0500
From: gjkriger%gjk .
OCUnix .
on .
CA @
nnsc .
nsf .
net (George J. Kriger)
Sender: Firewalls-Owner @
GreatCircle .
COM
In "Notes from Usenix BOF", in reference to the San Diego Usenix, Rik
Farrow wrote:
>[Question:] Is it possible do do WAIS through a firewall?
>BC: No practical way to do WAIS through a firewall.
>Brian Berliner [berliner @
sun .
com]: No way to do WAIS through a proxy
>service.
Could someone please elaborate ?? Why ??
[ . . . ]
In the vanilla distributed WAIS implementation, query forwarding
through a WAIS "gateway" (a proxy service) is bidirectional. Hence,
installing this code as-is will result in allowing remote users being
able to probe internal WAIS sources -- something sites using firewall
hosts would, I expect, strongly prefer not to do. Some very early
versions of the WAIS server code also had security problems resulting
from some naivete about document IDs, but those bugs were fixed quite
a while back.
On the other hand, you always have the option of cutting code to build
filtering ACLs into the WAIS server to block nonlocal client access.
I guess this is considered impractical in some circles, though.
The cold fact about WAIS is that the client, in particular the X
client, can absorb copious resources while displaying non-ASCII
documents onscreen for users. Firewall hosts tend to be heavily
burdened by SMTP, NNTP and other relay service loads; having users
login to use WAIS could easily impose a substantial added load. As a
result, there's adequate incentive to build reasonably secure WAIS
"gateways", if only to reduce user logins on firewall host(s). Note
that the same can be said about other IR/RD applications such as (for
example) Gopher and WWW.
- Bede McCall
References:
|
|
