W3C home > Mailing lists > Public > ietf-discuss@w3.org > August 2001

Re: Use ofHTTP to pass firewalls

From: Sead Muftic <sead@dsv.su.se>
Date: Thu, 09 Aug 2001 12:13:21 -0400
Message-Id: <3.0.32.20010809121319.00918540@mail.dsv.su.se>
To: Jacob Palme <jptest@dsv.su.se>, discuss@apps.ietf.org
Cc: "Kristine Andersen" <kristineandersen@hotmail.com>, "Christer Backman" <asphalt_world@hotmail.com>, Fredrik Björck <bjorck@dsv.su.se>, Mats Wiklund <matsw@dsv.su.se>, kasun@dsv.su.se
Jacob:

>I have some questions regarding this practice:
>
>(1) Am I correct in describing the practice above?

You are absolutely right, you "hit the nail to the head". This is one of
the most common
hackers' practices and network vulnerabilities today (cf. Code Red and IIS
server).


>
>(2) Does this practice lead to reduced or increased security,
>     compared to the alternative of using special port numbers
>     for each application and changing the firewalls when
>     necessary?

Reduced, since with different ports you may configure firewall to those
ports, here all
requests are transperent.

>
>(3) Is this a good practice? Should IETF do something to
>     favor or disfavor this practice?

First, you may "disfavour" this practice only if you limit the
functionality of the Web server, so you
do not allow Web servers to be used as portals, you prevent ASPs, etc.
which is probably not a realistic
assumption.

>
>My feeling is that it is against the whole idea of port numbers to
>multiplex lots of different applications to a single port 80, just in
>order to cheat firewalls. 

The purpose of multiplexing to port 80 is not "to cheat firewalls" (that is
the consequence),
the purpose is nice (GUI) interface of the Web to many background
application servers.


>On the other hand, the HTTP server on port 80, which handles such
>requests, may be more secure against various security holes, such
>as the well-known buffer overflow, than particular servers for
>particular port numbers. But of course the data which the HTTP
>server forwards to the application program may cause buffer over-
>flow in the application program, even if this data arrived indirectly 
>via the HTTP server on port 80?


Web server can not be more secure, it is as secure as it is, (since it is
standardized !).
Therefore, one method of enhancing this "multiplexing on port 80" protocol
is to put 
some kind of the Security Proxy (at the application level ! not firewall at
the IP level)
in front of the port 80. Such proxy can take care of

   - standard Web IP level security (SSL),
   - application level Web security (s-http),
   - additional multi-application security (S/MIME),
   - security against active contents,
   - etc.

I'd like to mention that here in the States I have an on-going research
project dealing exactly
with these problems that you've indicated and creating solutions which I've
briefly described.

Regards,

Sead
Received on Thursday, 9 August 2001 13:40:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 9 December 2014 23:04:05 UTC