-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
Sir:
[EMAIL PROTECTED] said:
> "FTP-ish"? There is actually valid reasons to use something like this.
> Various purchased applications that we have utilize servers which
> accept an initial IP/PORT. These "initial connection" servers validate
> the request and then assign it off to another process which may be
> executing on another system (load-balancing, for example). This
> "pass-off" requires opening another connection. That information is
> done via a PORT command similar to FTP. While this doesn't have
> concurrent command/data connections, it has a similar logic.
I politely disagree, and to clarify, this is a rant about poor protocol design
and lame firewalling techniques, not your reply.
You are stuck (apparently) with an application suite that behaves this way.
So apparently is the original poster.
The suite apparently provides business critical functionality (it IS critical
right? Otherwise the whole discussion is moot.) and you have to support it,
meaning you have to get it through the firewall.
The RIGHT way to get something evil like this through a firewall, if you have
to, is with a proxying or filtering widget that is sufficiently aware of the
application that it can open and close dynamically only those negotiated,
agreed upon, and therefore necessary source port/IP to destination port/IP
combinations.
The BEST way is to not have to deal with this at all. In other words, design
your protocols and solutions so that they do not require this hackery (open a
range of ports) or a sophisticated application aware proxy/filter to get them
through the firewall, and from the consumer or integrator's POV, don't buy
applications or solutions that work this way.
Hope this clarifies my opinion....
AL
- --
+--------------------------------------------------------------------+
| Al Potter Manager, Network Security Labs |
| apotter at-yay icsa ot-day net ICSA Labs |
| (If the spambots learn piglatin...) |
| PGP Key: 0x58C95451 http://www.icsa.net |
| PGP Fingerprint: D3 1D BE 8C B5 DD 12 61 5A 4A 65 32 93 E5 D9 36 |
+--------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000
iQCVAwUBOiwQu9uN3h5YyVRRAQI6twP8CLaGbD5dZsRwFIrVYDum2WWEbk4QVmN8
OhcT3Zpz/8E4rsnmdHX+XvQwnhlg03WyQR4BakItvBAZJteq0/TN7vsEpfq6RekN
gROflOIL4xPmmpyqSe+PLbH19lwyWuapkWbTKJm8aVu+cdWSjq7mKToGw3yFSGfX
dYEeHuebBuM=
=MB9y
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
