Re: [fw-wiz] Firewall Best Practice regarding XMPP traffic?

In my experience, yes -- XMPP servers are generally deployed in the
DMZ with TLS enabled (required) for all connections.

Theoretically you could load a copy of your XMPP server's private key
onto a content inspection device, granting it visibility inside the
encrypted session. I've never known anybody to do this in practice.

What I have seen done for a corporate XMPP deployment is to have the
clients connect to an edge device using the legacy SSL-only port
(TCP/5223), and then use a generic SSL appliance pass-through to
decrypt the traffic at the edge, so it enters the DMZ in the clear,
where the TCP stream can be inspected as needed This still leaves
any server-to-server traffic non-inspectable, but ensures all traffic
to/from directly connected clients is available for IPS scanning and
L-7 inspection/filtering.

Speaking of firewalls, I'm still disappointed that none of the "Chat
aware" content filtering products are offering support for XMPP.
Blue Coat, Websense, Vontu, etc all go to great lengths to attempt to
see inside AIM and Yahoo chat, but totally ignore the one fully open
protocol in the inspection engines.

Kevin Kadow
firewall-wizards mailing list