derek at wedgetail.com
Fri Oct 18 16:30:12 CEST 2002
John Keeling wrote:
> Over the internet, you really want to use Web Services rather than
> CORBA, because CORBA/IIOP uses multiple ports that have to be
> explicitly allowed on the firewall ( on both the client and server
> side). This is an admin and security issue.
Yes. It *is* a security issue. By misusing port 80 for remote procedure
calls, you are violating the contract between you and your sysadmin, and
quite likely violating your organization's (our your client's) security
policy. That port was opened to allow web pages to be served up, not to
run bits of arbitrary code on request.
If I were a sysadmin, I'd be blocking anything that looks like SOAP at
the firewall. Sysadmins I've spoken to about SOAP have reacted with
horror when I explain the nature of SOAP, and have started writing
little filters already ;) Expect a few "anti-SOAP" scripts on
sourceforge any time now.
The problem with this whole firewall issue is that it's a political and
organizational one. It *cannot* be solved technically. If you want RPC
you have to allow it through the firewall. Many developers/deployers
don't even think to find out what the admins think at the deployment
site, or even what the security policy is, and certainly don't do what
they *should* do - which is to involve the admins who are looking after
the target system.
Instead, they get all upset when the admin, who has a professional
responsibility for the security of his users' data, refuses to just open
up random ports without notice. Then the deployer views the admin as the
problem that must be "worked around".
Enter SOAP and misusing port 80 to get RPC requests throught without
needing a anyone's authority. All that will happen is the sysadmins will
be forced to filter it, and you are back to square one.
The lesson is - you can't hack around a problem like this. You have to
negotiate, and get all the people who will be impacted by your
development involved from day one. Sure, they might say, "this is
against our policy, it will never be allowed", but isn't it better to
find that out *before* starting? Then, if you want, you can work to
change the policy. Screwing around with port 80 is going to cause a lot
of ill-will. The first time a SOAP request comes through that runs some
random bit of code that causes some damage, you can fully expect to be
hung out to dry for it.
Organizations have security policies for a reason. Hacking around them
will *never* end well.
More information about the Python-list