I have reviewed Tibco and rendezvous. I call it the "poor man's CORBA." The RVP protocol is UDP and broadcasts throughout your network. The RV listeners read all the UDP traffic looking for datagrams that pertain to them. My experience with TIBCO running on a switched network was that it wasn't very reliable. It does work well on unswitched network. Here is the rub, however. Unswitched, the network is easy to sniff. If you capture the udp packets, do some analysis, and -- viola -- start injecting your own spoofed packets, the RV listeners will respond. In the case of the network I was working on, that included requests for account information, to which the RV listeners responded. The same for order taking, credit cards, etc. This can be mitigated greatly by implementing very specific acls on the routers to route the datagrams to specific servers on specific segements. This is labor and maintenance intensive. The Tibco product is very sound and works very well under most conditions. It is, imho, vulnerable to attack. I would be careful using it with sensitive information due to the connectionless protocol. It is very well suited for broadcasting information and data, as long as you wouldn't shy from boradcasting the same information over your local AM station. If that isn't acceptable, perhaps a different product with different operating methodology would be bettter. Now, all that said, the experience I just stated is nine months old (1 Internet year). Things change. Milage may vary. However, when I first looked into Tibco, the shop using it wasn't even blocking it at the WAN router and was blasting datagrams to the Internet in search of a sympathetic RV listener. So, I may be a bit skewed in my opinion. I liked Redezvous and the technology -- just not for credit card transactions. Belka Xakepob > > Hi all, > > Has anyone in this list reviewed RezendeVous protocol and the security > considerations relating to this protocol. I am on an assignment to review > security implemented in a middleware product (TIBCO), which is using this > protocol to communicate between various systems. I have been able to gather > some information from: http://www.psl.cs.columbia.edu/papers/rvp-dd.html > <http://www.psl.cs.columbia.edu/papers/rvp-dd.html> , which does not > appear to be fully current. I couldn't find any RFC on this. I would > appreciate any help in this regard. > > Thanks and Regards. > > Brahma > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 12:05:10 PDT