RE: RPCs over HTTPS through the firewall

[Mark Tinberg <mtinberg () securepipe com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 Apr 2003, Ben Nagy wrote:
[snip]
> Finally, "conventional" port 443 traffic basically contains unsecured,
> unsecureable rubbish, passing through the firewall encrypted, so that it's
> all one Big River of Risk as far as an admin is concerned. Does it matter
> much if we add RPC to the sludge? Nnnnnnnope.

I would not agree with that.  HTTP traffic over 443 or 80 has a similar
risk profile, although encrypting traffic over 443 prevents several types
of shenanigans that can be had on the intervening network links.  RPC on
the other hand generally exposes a much richer interface, directly into
the core of the OS that generally was never designed with security as even
a tertiary concern.  There are way more things that can go wrong and you
have far less access control opportunities than with a web service.  I
would say that allowing RPC from random hosts on the Internet without at
least authenticating the source before allowing the traffic through is a
no-go.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67

        Your daily fortune . . .

Weekends were made for programming.
- - Karl Lehenbauer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iEYEARECAAYFAj6odxIACgkQFu7F5OUjbGdQCACePPwKd2geMkSqby535hbZdUD7
frkAn2srPeYBSkMC0EL1AxA8/J6KyarT
=Yx8o
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards