RE: [fw-wiz] RPCs over HTTPS through the firewall
From: Ben Nagy (ben@iagu.net)
Date: 04/22/03
- Previous message: Volker Tanger: "Re: [fw-wiz] RPCs over HTTPS through the firewall"
- In reply to: david singleton: "[fw-wiz] RPCs over HTTPS through the firewall"
- Next in thread: Mark Tinberg: "RE: [fw-wiz] RPCs over HTTPS through the firewall"
- Reply: Mark Tinberg: "RE: [fw-wiz] RPCs over HTTPS through the firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ben Nagy" <ben@iagu.net> To: "'david singleton'" <david_rh_singleton@hotmail.com>, <firewall-wizards@honor.icsalabs.com> Date: Tue, 22 Apr 2003 10:54:10 +0200
No.
ben
(more below)
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of david singleton
> Sent: Monday, 21 April 2003 7:18 PM
> To: firewall-wizards@honor.icsalabs.com
>
> Microsoft's Outlook 11 can envelope its RPC traffic in HTTPS
> and thereby go through the firewall on port 443 to connect to
> the Exchange server.
>
> Is this thought to be anymore risky than conventional port
> 443 traffic?
>
> David
There are several ways I look at this.
First of all, it's way better to encapsulate something as icky as RPC if
you're going to send it through the Big Wide Internet. Especially in SSL,
since it's mostly secure. (Anyone know if MS do RSA blinding in their
default crypto library?)
Second, in some ways this should make FW guys happy, because previously we
had to jump through many hoops to make MS stuff talk RPC through firewalls,
whereas SSL an at least be controlled via a single port, and using TCP
state, at the least.
Finally, "conventional" port 443 traffic basically contains unsecured,
unsecureable rubbish, passing through the firewall encrypted, so that it's
all one Big River of Risk as far as an admin is concerned. Does it matter
much if we add RPC to the sludge? Nnnnnnnope.
Allowing SSL traffic to pass encrypted through the firewall is always going
to be a compromise between user privacy and the risk of 3v1l 5tuph being
tunneled through the firewall. The technology does exist, in a clumsy way,
to read the traffic. Most businesses have, either through design or
laziness, chosen privacy.
(PLEASE let me be spared the rant here about how "businesses have a right to
read all their employee's traffic" - it's incorrect, even in the more insane
legal climates on the planet, it's really a question of philosophy, and it
isn't really relevant ;)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Volker Tanger: "Re: [fw-wiz] RPCs over HTTPS through the firewall"
- In reply to: david singleton: "[fw-wiz] RPCs over HTTPS through the firewall"
- Next in thread: Mark Tinberg: "RE: [fw-wiz] RPCs over HTTPS through the firewall"
- Reply: Mark Tinberg: "RE: [fw-wiz] RPCs over HTTPS through the firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
