Thanks for the reply. It uses TCP protocol. This particular program is sort of nasty that the program uses two ports for two servers running at that software company's site to register any users who are going to use this program (as it stands now, it is free) to start a chat session. Any chat "host" user (there is only one host user is allowed) who hosts a session will be able to decide to allow or deny a new user to join the session. Any users can choose two ports (a range is given from 1 to 500 in the manual but the techie suggested otherwise) in a range to use for communication to other members in that session. The only "good" suggestion the techie gave may be that one should restrict the two user ports to 7000 and 7001 instead of opening all ports in that huge range. Of course, if I know that only people from a given IP network address will join any discussion session, I would restrict source addresses to that site only, plus the site of the software company who wants to register all users. I would recommend the above solution (punching holes on the firewall) to our security committee and I guess they would approve it anyway. But my conscious tells me that this is not a good solution and more similar cases are out there, we need a more general solution to allow this kind of incoming traffic w/o damaging too much of security. In fact what I want to say is more than this particular program. I want to point out to the mailing list that the current DMZ architecture may not solve all the practical problems in the real world. I prefer some kind of proxying. I am using IBM Firewall For AIX. IBM suggests we use some generic TCP relay software downloadable from their ftp site. But those relay servers are not sophisticated enough to solve this particular problem. Ellana Livermore wrote: > > You might ask what protocol they are using - is it UDP/RPC or > TCP/IP. I don't know which firewall you are using, but some > (including ours) have proxies that can handle some of these > types of applications. I know guantlet, for example, has > a generalized proxy. Our product has RPC/UDP and generalized > proxies. Anyway, find out from the vendor what the protocols, > headers, etc. look like and contact your f/w vendor for assistance. > > I know that we help our clients all the time with this type of issue > and believe that this is standard support from the f/w vendor > community. > > Good luck > Ellana > > At 09:01 AM 5/21/99 -0600, you wrote: > >An engineer wants to use Dr. DWG Collaborator'99. This is a program to > >allow people to chat via the Internet, displaying and even modifying > >drawings from their CAD environments. But our engineers are behind the > >firewall. Does anybody happen to have to deal with it? > > > >The company that developed this product says that there is no security > >considerations taken in the development, but to use it, one must punch > >holes on the firewall to allow incoming traffic, which is very > >undesirable. > > > >Whenever we ask people to move out of the firewall to use this kind of > >dangerous programs, typical responses we get from our users are: "No, we > >want to stay behind the firewall to get some protection." So we have to > >find a solution to be able to permit incoming traffic while not > >compromise the security. > > > >TIA, > >-- > >Peter Zhang > >UCS, University of Calgary > >Tel (403)-220-4061 > > __________________________________________________________________ > > Ellana Livermore > Livermore Software Laboratories > div of Freemont Avenue Software, Inc. > 1830 S. Kirkwood, Suite 205 > Houston, TX 77077 > vox: 281-759-3274 or 800-240-5754 > fax: 281-759-8558 > www.lsli.com -- Peter Zhang UCS, University of Calgary Tel (403)-220-4061
begin:vcard n:Zhang;Peter tel;fax:(403)-282-9361 tel;home:(403)-239-0397 tel;work:(403)-220-4061 x-mozilla-html:FALSE url:http://www.ucalgary.ca/~zhangc/ org:University of Calgary;University Computing Services version:2.1 email;internet:[EMAIL PROTECTED] title:Programmer Analyst adr;quoted-printable:;;ES1010=0D=0A2500 University Drive, NW=0D=0A;Calgary;Alberta;T2N 1N4;CANADA x-mozilla-cpt:;6464 fn:Peter C.Y. Zhang end:vcard
