[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "Uh, what do I need this for" (was RE: XML.COM: How I Learne d toLove daBomb)
- From: Francis Norton <francis@redrice.com>
- To: "Champion, Mike" <Mike.Champion@SoftwareAG-USA.com>
- Date: Mon, 20 Aug 2001 10:38:35 +0100
"Champion, Mike" wrote:
>
> and (potentially?) giving a new generation of script kiddies a simple way
> through all the world's firewalls scares hell out of me.
>
Is there a detailed case for this worry? I see two possible problem
scenarios
[a] Does SOAP allow program calls to flow through generic HTTP firewall
holes because SOAP is also using HTTP? I think the answer is no. SOAP on
HTTP requires a SOAPAction HTTP header - the message will be rejecrtd
without it. I'm not a firewall guru but I understand that this could be
used to simply disable SOAP traffic on otherwise SOAP-unaware firewall.
[b] Does SOAP allow script kiddies new opportunities against
intentionally SOAP-enabled firewalls? Again, I think the answer is no.
There are no default SOAP services on machines to be left enabled by
accident. The fact that SOAP will normally come in through HTTP means
that the rest of the server-side infrastructure should be reasonably
well hardened.
[c] Does SOAP prevent appplication-level or authentication attacks? I'd
say no, by design. It delegates other security issues to SSL and the
applications in question. But this isn't really the firewall question
you're raising.
Have I overlooked anything obvious?
Francis.