Timothy Ward commented on ARIES-1613:

A lot of this depends on how you define the boundary of the private network. 
The back end servers are obviously in the private network, and the front end 
servers are obviously publicly accessible, but in order for the front end to 
talk to the back end the front end must also be in the private network. This 
would typically be called a DMZ. It is not possible to avoid using private 
addresses in the DMZ (it's the only way for the front end to talk to the back 
end) - so does this really constitute internal addresses being exposed outside 
the private network?

I assume that the ZooKeeper server is inside the private network and not the 
DMZ? If so then the front end systems must be configured with the internal 
address of the ZooKeeper to contact it, and you already have an internal 
address used in the DMZ (a pretty normal state of affairs). The firewall would 
need to allow this access and I assume that there is some security set up for 
the ZooKeeper. At this point the only way for private addresses from discovery 
to escape is for someone to break into the DMZ and either:

* Hack the ZooKeeper
* Exfiltrate information from the running JVM

Both of these are relatively hard to do (assuming you have decent credential 
management) and rely on the fact that you've already been hacked (they have 
access to your DMZ).

If the ZooKeeper is inside the DMZ then it needs to be more highly secured, and 
probably should not be used for your back-end discovery at all because it is at 
risk of direct hacking. This would have a much greater risk of address leakage 
and puts you into the "two ZooKeeper" model if you want to be safe.

> DiscoveryPlugin interface not exported
> --------------------------------------
>                 Key: ARIES-1613
>                 URL: https://issues.apache.org/jira/browse/ARIES-1613
>             Project: Aries
>          Issue Type: Bug
>          Components: Remote Service Admin
>    Affects Versions: rsa-1.9.0
>            Reporter: Panu Hämäläinen
> The package containing the interface 
> org.apache.cxf.dosgi.discovery.zookeeper.publish.DiscoveryPlugin is not 
> exported (MANIFEST.MF) from bundle cxf-dosgi-ri-discovery-distributed (1.7.0) 
> which makes it impossible to implement 3rd party discovery plugins.

This message was sent by Atlassian JIRA

Reply via email to