RE: Microsoft invents SOAP

[sean.kelly () lanston com]

> I pose this question to the group, what are the potential dangers of
> tunneling DCOM objects or in essence an application through a 
> well known port (http).  I am assuming an application proxy based  
> firewall with a
> standard inbound port 80 wrapper.  Locked down from the IP of 
> web server to the IP of application server.

I would say that is just as dangerous as exposing the DCOM object directly
on whatever port it would normally use.  Tunneling through HTTP is frowned
upon because you're exposing a non-web service through the standard web
port.  In essence, doing an end-run around whatever security may be in place
in your firewall forbidding such things.  The advantage is that it can be
used by anyone because pretty much every firewall acceps HTTP traffic on
port 80 while most probably forbid traffic on whatever other port the DCOM
object would otherwise use.

I don't know much about the vulnerabilities of DCOM itself, but wrapping it
in HTTP is no more or less secure than the existing method.  I can't see it
being useful for web server to internal machine though, since you are in
control of the firewall between them.  SOAP only seems useful if you want to
expose DCOM objects to people on networks you don't control, as they may be
behind a firewall that doesn't allow access of whatever default port the
DCOM object uses.

Sean