Great Circle Associates Firewalls
(February 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: wais [please elaborate on Rik's notes]
From: bede @ linus . mitre . org
Date: Wed, 24 Feb 93 18:44:44 -0500
To: gjkriger%gjk . OCUnix . on . CA @ nnsc . nsf . net
Cc: firewalls @ GreatCircle . COM
In-reply-to: George J. Kriger's message of Wed, 24 Feb 1993 07:54:09 -0500 <9302240754 . AA18384 @ gjk . OCUnix . on . ca>
Posted-date: Wed, 24 Feb 93 18:44:44 -0500

   Date: 	Wed, 24 Feb 1993 07:54:09 -0500
   From: gjkriger%gjk .
 OCUnix .
 on .
 CA @
 nnsc .
 nsf .
 net (George J. Kriger)
   Sender: Firewalls-Owner @
 GreatCircle .
 COM

   In "Notes from Usenix BOF", in reference to the San Diego Usenix, Rik
   Farrow wrote:

   >[Question:] Is it possible do do WAIS through a firewall?
   >BC: No practical way to do WAIS through a firewall.
   >Brian Berliner [berliner @
 sun .
 com]: No way to do WAIS through a proxy
   >service.

   Could someone please elaborate ?? Why ??

   [ . . . ]

In the vanilla distributed WAIS implementation, query forwarding
through a WAIS "gateway" (a proxy service) is bidirectional.  Hence,
installing this code as-is will result in allowing remote users being
able to probe internal WAIS sources -- something sites using firewall
hosts would, I expect, strongly prefer not to do.  Some very early
versions of the WAIS server code also had security problems resulting
from some naivete about document IDs, but those bugs were fixed quite
a while back.

On the other hand, you always have the option of cutting code to build
filtering ACLs into the WAIS server to block nonlocal client access.
I guess this is considered impractical in some circles, though.

The cold fact about WAIS is that the client, in particular the X
client, can absorb copious resources while displaying non-ASCII
documents onscreen for users.  Firewall hosts tend to be heavily
burdened by SMTP, NNTP and other relay service loads;  having users
login to use WAIS could easily impose a substantial added load.  As a
result, there's adequate incentive to build reasonably secure WAIS
"gateways", if only to reduce user logins on firewall host(s).  Note
that the same can be said about other IR/RD applications such as (for
example) Gopher and WWW.


- Bede McCall



References:
Indexed By Date Previous: Re: Firewalls Digest V2 #31
From: Mark Moraes <Mark-Moraes @ deshaw . com>
Next: Re: wais [please elaborate on Rik's notes]
From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread Previous: wais [please elaborate on Rik's notes]
From: gjkriger @ gjk . OCUnix . on . ca (George J. Kriger)
Next: Re: wais [please elaborate on Rik's notes]
From: Brent Chapman <brent @ GreatCircle . COM>

Google
 
Search Internet Search www.greatcircle.com