[ale] Firewall Administrative Question

Gary Maltzen maltzen at MM.COM
Tue Jun 20 23:48:55 EDT 2000


Since Apache and IIS already have the ability to listen on specific IP addresses AND/OR specific TCP ports and support for this is already in all browsers, what you describe is already available. The same is true for MIME (content-type) support.

This shouldn't really be considered "tunneling" unless you intend the HTTP protocol to actually be an encapsulation of some other more generic protocol (like PPP). XML is a more *specific* protocol than HTTP.

Firewall issue: you will need to add routing definition/s for the new server/s to the firewall. Assuming something like Cisco's CBAC, you need to add some routing/filtering commands to the router. How difficult this is depends on the in-house firewall/router expertise.

Appearance of risk will depend on how clearly you can explain the function and need for this to the firewall admin.

(These are my opinions; I'm the only one foolish enough to state them)

>I would like to write a set of clients and servers, each pair of which
>would would communicate using a different packet sub-type, each presenting
>to a firewall as HTTP/1.1. The actual data would consist of well-formed
>HTTP Requests and HTTP Responses. The content-type would be "text/xml" or
>"application/xml". I would like to use a set of port numbers other than
>the usual 80 and 443, so that each service could be assigned a port
>number and those clients would use that port for their default connection.
>
>In summary, this box would behave like an HTTP/1.1 client except that it
>would work to a non-standard set of ports.
>
>Technically I think this amounts to "HTTP Tunnelling" as a [hopefully]
>non-threatening way to pass several types of exchange through a proxy
>firewall (or a number of them) without having to use another box ahead of
>the client to decode each packet's type to determine which service was
>appropriate.
>
>The question is this: in the typical enterprise with a strong, content-
>filtering proxy firewall, how much trouble will the MIS department have to
>go to allow this?
>
>How risky do you think this type of setup would appear to an 'average'
>firewall administrator?
>
>Any experience with available firewalls, or any policy information you
>could share, would be great. Thanks for any comments.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list