Oooh calm down there !
What I meant by opening TCP high ports on the Firewall is the normal
procedure if you have an application running at high ports and you want to
debug it to perform some fine tuning on your application. Since the deamons
running at tcp-high should not provide root access(wr) on your system; the
risk to provide root-access with your application is low! BUT still exists.
An FTP deamon contains "some" risks because it runs in TCP-low. The best
way to solve it in my opinion is by
1)using a "proxy server" between your CORBA server and Firewall, and let
every at random cessions be port-mapped by your proxy to a know port of
your choice; after that define a rule on your Firewall for this typical
traffic.
2)If you have a RAPTOR Proxy Firewall, you can define a proxy-deamon on
your Firewall that fits your CORBA application. The Raptor Firewall also
provides the possibility of OS hardening(strips the OS & kills all
unnecessary applications & shells running on your Firewall) by default.
3) Use HP-VVAULT B2 OS, ... for more info check www.hp.com/security
Another solution could be to implement a CORBA-firewall and let the
client/server CORBA traffic pass using IIOP. For more info check
www.omg.org! CORBA release-3
Kind regards,
Samir
At 15:00 4/12/2000 -0500, Paul D. Robertson wrote:
>On Mon, 4 Dec 2000, Al Potter wrote:
>
>> with. Why anyone would spec a protocol like this these days is beyond me.
>
>Because idiots will open firewalls instead of batting the application
>designer about the head with a clue-by-four. I can't count the number of
>idiotic vendors I've sent packing due to idiotic protocol design.
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>[EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
>
Samir Fahim
CEO Uniskill NV
Museumstraat 8
2000 Antwerpen
Tel.: (32)-(0)3/257.10.92
Mobile: (32)-(0)75/850.772
Fax:(32)-(0)3/257.17.40
This electronic transmission is strictly confidential and intended solely
for the addressee. If you are not the intended addressee, you must not
disclose, copy or take any action in reliance of this transmission. If you
have received this transmission in error it would be helpful if you could
notify UNISKILL NV as soon as possible.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
