RE: Microsoft invents SOAP

From: Phil Cox (Phil.Coxat_private)
Date: Fri Oct 29 1999 - 07:45:04 PDT

Next message: Michael Kelly: "Re: Newspaper Article about Cable Modem security"

Previous message: Butler, Gary: "RE: FW: BlackIce Defender???"
Maybe in reply to: Hardcastle, Kevin: "Microsoft invents SOAP"
Next in thread: Neil Ratzlaff: "Re: Microsoft invents SOAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> This tool set allows DCOM objects to basically be encapsulated 
> inside http.

Just for historical value: Currently this is done with COM Internet Services, and requires a cooperating IIS server with an RPC forwarding ISAPI filter. This is not DCOM in HTTP (as SOAP is), but really DCOM over port 80, with the explicit purpose of bypassing firewall rules (I don't care what spin Microsoft puts on it).
 
> InternetWeek claims this is potentially dangerous and serious security flaw.
> Though doesn't elaborate on the details.

I would assume their point is that this will essentially allow DCOM through the firewall, which we all would agree is "potentially dangerous and serious".
 
> I pose this question to the group, what are the potential dangers of
> tunneling DCOM objects ...

I pose that it is not DCOM, per se', that is the problem, but in fact the hoards of programmers that are writing VERY insecure applications in COM, then getting the bright idea that they can "network" this thing with little effort. So now you have (hundreds of)thousands of programs that are accessible from the internet, and they have absolutely NO security built into them from the stand point of properly written (i.e. bound checking), or using the security features of DCOM (i.e. Call, Connect, Packet security stuff).

> I am assuming an application proxy based  firewall with a
> standard inbound port 80 wrapper.  Locked down from the IP of web 
> server to the IP of application server.  The application server must be aware of the
> payload and be able to strip it out of the http tunnel and execute it.

This is A LOT to assume. I would be that 75% of the sites do not have this level of protection. And again, you assume a security aware server, I would NOT assume this ;)

My $.02,

Phil
--------------------------------------------
SystemExperts Corporation
Philip C. Cox, Consultant

+1 (888) 749-9800 (Corp HQ, toll free, USA only)
+1 (209) 830-0595 (main)
+1 (209) 830-0594 (fax)
http://www.SystemExperts.com/

Next message: Michael Kelly: "Re: Newspaper Article about Cable Modem security"
Previous message: Butler, Gary: "RE: FW: BlackIce Defender???"
Maybe in reply to: Hardcastle, Kevin: "Microsoft invents SOAP"
Next in thread: Neil Ratzlaff: "Re: Microsoft invents SOAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:10 PDT