> I pose this question to the group, what are the potential dangers of > tunneling DCOM objects or in essence an application through a > well known port (http). I am assuming an application proxy based > firewall with a > standard inbound port 80 wrapper. Locked down from the IP of > web server to the IP of application server. I would say that is just as dangerous as exposing the DCOM object directly on whatever port it would normally use. Tunneling through HTTP is frowned upon because you're exposing a non-web service through the standard web port. In essence, doing an end-run around whatever security may be in place in your firewall forbidding such things. The advantage is that it can be used by anyone because pretty much every firewall acceps HTTP traffic on port 80 while most probably forbid traffic on whatever other port the DCOM object would otherwise use. I don't know much about the vulnerabilities of DCOM itself, but wrapping it in HTTP is no more or less secure than the existing method. I can't see it being useful for web server to internal machine though, since you are in control of the firewall between them. SOAP only seems useful if you want to expose DCOM objects to people on networks you don't control, as they may be behind a firewall that doesn't allow access of whatever default port the DCOM object uses. Sean
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:01 PDT