Firewall Wizards mailing list archives
Re: Firewall Best Practice regarding XMPP traffic?
From: K K <kkadow () gmail com>
Date: Thu, 17 Jun 2010 01:44:10 -0500
In my experience, yes -- XMPP servers are generally deployed in the DMZ with TLS enabled (required) for all connections. Theoretically you could load a copy of your XMPP server's private key onto a content inspection device, granting it visibility inside the encrypted session. I've never known anybody to do this in practice. What I have seen done for a corporate XMPP deployment is to have the clients connect to an edge device using the legacy SSL-only port (TCP/5223), and then use a generic SSL appliance pass-through to decrypt the traffic at the edge, so it enters the DMZ in the clear, where the TCP stream can be inspected as needed This still leaves any server-to-server traffic non-inspectable, but ensures all traffic to/from directly connected clients is available for IPS scanning and L-7 inspection/filtering. Speaking of firewalls, I'm still disappointed that none of the "Chat aware" content filtering products are offering support for XMPP. Blue Coat, Websense, Vontu, etc all go to great lengths to attempt to see inside AIM and Yahoo chat, but totally ignore the one fully open protocol in the inspection engines. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall Best Practice regarding XMPP traffic? paddy joesoap (Jun 16)
- Re: Firewall Best Practice regarding XMPP traffic? K K (Jun 17)
- Re: Firewall Best Practice regarding XMPP traffic? paddy joesoap (Jun 17)
- Re: Firewall Best Practice regarding XMPP traffic? K K (Jun 17)