Great Circle Associates Firewalls
(September 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Blocking non-http (executable) content
From: peter @ baileynm . com (Peter da Silva)
Date: Fri, 30 Aug 1996 11:39:20 -0500 (CDT)
To: markry @ microsoft . com (Mark Ryland)
Cc: Firewalls @ GreatCircle . COM, DCOM @ Listserv . msn . com, Russ . Cooper @ RC . Toronto . on . ca
In-reply-to: <c=US%a=_%p=msft%l=RED-32-MSG-960830143258Z-36347 @ mail . microsoft . com> from "Mark Ryland" at Aug 30, 96 07:32:58 am 
>  Running DCOM over HTTP adds absolutely zero new security risks -- an
> RPC system running over an RPC system is not less secure than just an
> RPC system alone.  

The type of transport mechanism used to ship information over a link (though
if you extend things far enough, you can describe IP as an RPC mechanism
if that's the sort of argument you want to make) is irrelevant to the
security implications of the link.

It's the boxes at the ends of the link that are the problem. With HTTP,
the boxes don't trust each other. This means that both clients and
servers limit what the information (commands, programs, scripts, what
have you) can do. And even then there's holes.

> Fundamental fact is that port-base firewalls are of limited utility for
> creating a truly secure environment.

That's true. You want application specific gateways. But if you can't do
that then you want to be able to restrict access by host and port. It's
not perfect, but it's better than nothing.

Also, it's a situation where things are by default closed, and the admin
has to take a definite step to open them up. With HTTP things are open
by default.

It's not perfect, but it's better than nothing.

> Port-based firewalls prevent some bad behavior by UNSOPHISTICATED users
> and hackers.  Like car door locks, they're very worthwhile for that
> reason.  But the a pro can get through your port firewall as fast has a
> pro can get into your car with a slim-jim.  

Are you really characterising Microsoft as "a pro with a slim-jim"? While
there are many people who would be in agreement, I think that's probably
a little extreme.

Shouldn't a company in Microsoft's position be providing a *good* example?

How about a DCOM application proxy, available in source, that can be slipped
into existing firewalls with a minimum of bother. Oh, and while we're on the
subject of Microsoft and security and HTTP, how about the source to the
Font Page CGIs or at least a format spec... a lot of people are justifiably
concerned about this chunk of untestable binary code Microsoft wants us to
drop into cgi-bin...
Indexed By Date Previous: Re: Blocking non-http (executable) content
From: peter @ baileynm . com (Peter da Silva)
Next: Re: NT port activity list
From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread Previous: Re: Blocking non-http (executable) content
From: peter @ baileynm . com (Peter da Silva)
Next: Ascend numbered interfaces
From: Neale Banks <neale @ planet . net . au>
Google
 
Search Internet Search www.greatcircle.com