RE: Summing up on visibility(?)

> > > Whatever.  All I know is that every day I see another article in the
> trade
> > > press about this; today's is
> > > http://www.networkmagazine.com/article/NMG20021223S0005
>
> The trade press also talks about (in this article)
>
>  "The Extensible Markup Language (XML) protocol ..."
>  "XML messages can bring [...] load balancers to a stop"
>  "As an environment, XML is technically an application problem; it only
> requires a TCP stream to function "
>  "Traditional firewalls don't work because most XML implementations will
> travel over Port 80, which is open to HTML traffic"
>  "...Web service protocols such as XML ..."
>
> And these are just the immediately obvious things. So what is talked about
> isn't necessarily a real issue, but it probably does deserve
> discussion and
> illumination.

The problem with a lot of firewalls is that they actually do packet
filtering. If it goes to port 27 it's bad, if it goes to port 80 it's good.
There's a lot of stuff you can pass in port 80 that they just can't detect.
For example, long URLs that cause buffer overflows and kill the HTTP server.

What happened is, at some point we got all the application to be elevated.
Instead of having distinct ports for different applications we now use HTTP
for everything, so the packet-filtering approach is not longer sufficient.
We elected to no longer use the uniform interface of port+ip and instead use
the uniform interface of port+HTTP method.

The only solution is for the firewall to stop looking at individual packets
and start looking at messages, because whether you use REST of SOAP or
ebXML, you are channeling different traffic on the same port in similar
looking packets.

arkin

Received on Friday, 10 January 2003 00:21:26 UTC