Port blocking
Steve Holden
steve at holdenweb.com
Mon Jan 10 20:06:59 EST 2005
Ville Vainio wrote:
>>>>>>"Mark" == Mark Carter <cartermark46 at ukmail.com> writes:
>
>
> Mark> Mark Carter wrote:
> >> Paul Rubin wrote:
>
> >>> Usually you wouldn't run a public corba or pyro service over
> >>> the internet. You'd use something like XMLRPC over HTTP port
> >>> 80 partly for the precise purpose of not getting blocked by
> >>> firewalls.
>
> Mark> I'm not sure if we're talking at cross-purposes here, but
> Mark> the application isn't intended for public consumption, but
> Mark> for fee-paying clients.
>
> Still, if the consumption happens over the internet there is almost
> 100% chance of the communication being prevented by firewalls.
>
> This is exactly what "web services" are for.
>
I teach the odd security class, and what you say is far from true. As
long as the service is located behind a firewall which opens up the
correct holes for it, it's most unlikely that corporate firewalls would
disallow client connections to such a remote port.
Web services are for offering services despite the fact that the
corporate firewall managers are valiantly trying to stop unknown
services from presenting to the outside world (and my immediately
preceding post tells you what I think of that idea).
The situation is analogous to connecting to web servers running on
non-standard ports (8000 and 8080 are traditional favorites, but
firewalls very rarely accord them any special treatment).
Most firewall configurations allow fairly unrestricted outgoing
connections, limiting rules to sanity checking of addresses to ensure
nobody inside the firewall is address spoofing. Incoming connections are
usually limited to specific combinations of port number and IP address
known to be legitimate corporate services to the external world.
Firewalling web services effectively is just an additional pain for the
network manager.
regards
Steve
--
Steve Holden http://www.holdenweb.com/
Python Web Programming http://pydish.holdenweb.com/
Holden Web LLC +1 703 861 4237 +1 800 494 3119
More information about the Python-list
mailing list