Firewall Wizards mailing list archives

Microsoft invents SOAP

From: "Hardcastle, Kevin" <Hardcask () abcbs com>
Date: Thu, 28 Oct 1999 08:39:55 -0500


I will start with a link to published propaganda.

http://msdn.microsoft.com/xml/general/SOAP_White_Paper.asp

Microsoft has replace DCOM with SOAP (Simple Object Access Protocol) for
e-commerce development.  DCOM had many shortcomings when trying to
communicate through firewalls, they never really understood how NAT worked.
This tool set allows DCOM objects to basically be encapsulated inside http.
Their suggestion is to open a port 80 proxy from your webserver(s) to your
application server(s) on the inside.

InternetWeek claims this is potentially dangerous and serious security flaw.
Though doesn't elaborate on the details.

I pose this question to the group, what are the potential dangers of
tunneling DCOM objects or in essence an application through a well known
port (http).  I am assuming an application proxy based  firewall with a
standard inbound port 80 wrapper.  Locked down from the IP of web server to
the IP of application server.  The application server must be aware of the
payload and be able to strip it out of the http tunnel and execute it.

Thanks for your input.

Kevin Hardcastle
Information Security Group
Alliance Blue Cross Blue Shield

Current thread:

Microsoft invents SOAP Hardcastle, Kevin (Oct 28)
- RE: Microsoft invents SOAP Phil Cox (Oct 29)
- Re: Microsoft invents SOAP Neil Ratzlaff (Oct 29)
- <Possible follow-ups>
- RE: Microsoft invents SOAP Scott, Richard (Oct 29)
- RE: Microsoft invents SOAP sean . kelly (Oct 29)