[Microsoft] SOAP and "The trouble with firewalls"

Date view Thread view Subject view Author view

From: Adam Rifkin -4K (adam@XeNT.ics.uci.edu)
Date: Sun Jul 23 2000 - 01:37:57 PDT

This is seven months old but I forgot about it until I saw it again
tonight. David "Mr. COM" Chappell extols the virtues of circumventing
sysadmins' policies in


The sentence "firewalls are no longer a problem" is cringe(ly)worthy...

> The trouble with firewalls
> Understanding why firewalls cause problems for distributed object
> protocols requires understanding how a firewall is able to distinguish
> one protocol from another. In the TCP/IP architecture, each widely used
> protocol is assigned its own port number and each request made using
> this protocol carries that number. HTTP, for example, is assigned port
> 80, while the File Transfer Protocol (FTP) relies on port 21. Most
> firewalls allow blocking a specific protocol by rejecting all traffic
> sent on the port used by that protocol. In general, firewalls are
> configured to allow traffic on port 80 -- if they weren't, HTTP
> requests from browsers couldn't get through. But many firewalls block
> most other ports, assuming that it's better just to block every port
> number that the firewall isn't specifically set to allow rather than
> allow other protocols into an intranet when each one could be a
> potential security threat.
> This is exactly where the problem arises with distributed object
> protocols. Unlike HTTP, FTP, and other widely used protocols,
> distributed object protocols don't generally have a single well-known
> port number assigned to them. Instead, these protocols typically use
> dynamically assigned ports, with port numbers chosen arbitrarily as
> needed. If no firewall intervenes in the communication between client
> and server, this approach works well. Insert a firewall, however, and
> communication stops -- the firewall blocks all traffic using this
> protocol because it's not configured to pass requests on arbitrary port
> numbers.
> Various approaches exist to address this issue. Some firewalls, for
> example, can be configured to pass traffic with port numbers in a
> specified range. If the distributed object protocol in use can be
> configured to assign ports only in this range, client requests can
> successfully get through. Security-minded network administrators tend to
> frown on opening up an arbitrary set of ports, however, which makes this
> a less-than-ideal solution. Another option specifically for some users
> is COM Internet Services, which makes the initial request on port 80 and
> then sends ordinary DCOM packets over TCP. While useful in many cases,
> this technology works only with Microsoft Internet Information Server
> and DCOM -- it's not a complete solution. A more general approach is
> needed.
> Since nearly all firewalls pass traffic on port 80, all that's required
> to get those firewalls to pass a distributed object protocol is for that
> protocol to use port 80. This isn't quite as simple as it sounds,
> however, since this port is already assigned to HTTP. The solution
> adopted by SOAP is to piggyback a distributed object protocol on top of
> HTTP. The HTTP protocol is quite simple: It consists mainly of a few
> basic verbs -- GET, PUT, POST, and others -- sent from a browser to a
> server. Each verb can be followed by other information, all of which is
> typically sent as simple character strings. SOAP doesn't change any
> of this, nor does it require adding any verbs to HTTP itself. Instead,
> SOAP uses the Extensible Markup Language (XML) to define the format of
> request and response messages and then allows the use of the normal HTTP
> POST command to send this information. All SOAP traffic goes through
> port 80, which means that SOAP can be used on the Internet with any Web
> server -- firewalls are no longer a problem.
> One of the primary design goals for SOAP is to ensure that it can be
> used effectively on top of the Internet's existing infrastructure --
> that is, HTTP, firewalls, proxies, and all the rest. For example, SOAP
> can use the Secure Sockets Layer (SSL) protocol for security, take
> advantage of HTTP's connection management facilities, and more. SOAP
> makes communicating with distributed object applications on the Internet
> as easy as it is to use browsers to access Web pages.


In the software industry, things were very balkanized. With Windows, Netware, OS/390 (and many other operating systems), you slice the skills fairly thinly, with people taking special courses in their particular dialect. But it's easier if you need someone who speaks (an industry standard such as) HTML or TCP/IP. You go to any high school and you hire some good computer scientists. -- Irving Wladawsky-Berger, vice president of technology and strategy at IBM http://news.cnet.com/news/0-1003-200-2117959.html?tag=st.ne.1002.tgif.ni

Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 01:38:34 PDT