- From: Sead Muftic <sead@dsv.su.se>
- Date: Thu, 09 Aug 2001 12:13:21 -0400
- To: Jacob Palme <jptest@dsv.su.se>, discuss@apps.ietf.org
- Cc: "Kristine Andersen" <kristineandersen@hotmail.com>, "Christer Backman" <asphalt_world@hotmail.com>, Fredrik Björck <bjorck@dsv.su.se>, Mats Wiklund <matsw@dsv.su.se>, kasun@dsv.su.se
Jacob: >I have some questions regarding this practice: > >(1) Am I correct in describing the practice above? You are absolutely right, you "hit the nail to the head". This is one of the most common hackers' practices and network vulnerabilities today (cf. Code Red and IIS server). > >(2) Does this practice lead to reduced or increased security, > compared to the alternative of using special port numbers > for each application and changing the firewalls when > necessary? Reduced, since with different ports you may configure firewall to those ports, here all requests are transperent. > >(3) Is this a good practice? Should IETF do something to > favor or disfavor this practice? First, you may "disfavour" this practice only if you limit the functionality of the Web server, so you do not allow Web servers to be used as portals, you prevent ASPs, etc. which is probably not a realistic assumption. > >My feeling is that it is against the whole idea of port numbers to >multiplex lots of different applications to a single port 80, just in >order to cheat firewalls. The purpose of multiplexing to port 80 is not "to cheat firewalls" (that is the consequence), the purpose is nice (GUI) interface of the Web to many background application servers. >On the other hand, the HTTP server on port 80, which handles such >requests, may be more secure against various security holes, such >as the well-known buffer overflow, than particular servers for >particular port numbers. But of course the data which the HTTP >server forwards to the application program may cause buffer over- >flow in the application program, even if this data arrived indirectly >via the HTTP server on port 80? Web server can not be more secure, it is as secure as it is, (since it is standardized !). Therefore, one method of enhancing this "multiplexing on port 80" protocol is to put some kind of the Security Proxy (at the application level ! not firewall at the IP level) in front of the port 80. Such proxy can take care of - standard Web IP level security (SSL), - application level Web security (s-http), - additional multi-application security (S/MIME), - security against active contents, - etc. I'd like to mention that here in the States I have an on-going research project dealing exactly with these problems that you've indicated and creating solutions which I've briefly described. Regards, Sead
Received on Thursday, 9 August 2001 13:40:59 UTC