[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: IIOP proxy?
From:       Rudolf Schreiner <ras () objectsecurity ! com>
Date:       2003-03-27 16:26:44
[Download RAW message or body]

On Thu, 27 Mar 2003, James Richardson wrote:

> Oh dear. Corba through a firewall isn't much fun. Iona do wonderwall, 
> which I have heard works....

We tried to use it in a banking environment, several years ago.
Our experiences were not that great...
In general CORBA thru a firewall can be very simple or extremly difficult,
depending on the ORB, the application (e.g. callbacks) and the security
policy to enforce. 

> If you want to do it yourself, then you could proxy the service yourself 
> using Java & RMI ( which you can get to work though a single port ).
> Should be fairly straightforward, if you have the idls. Using DSI/DII
> could be a pain though, if you dont have 'em

I wrote a prototype of an IIOP proxy based on DSI/IR/DII. Works fine! For
example it reliably proxifies object references in callbacks.
The problem is security enforcement. You can't do real access control or
protect servers from malicious requests at a Domain Boundary
COntroller. There are also lots of issues to integrate a DBC and
access control at the server. The main problem is the enormous flexibility
of CORBA. 
Therefore securing a CORBA application needs much more than just a
firewall.

Cheers,
Rudi
------------------------------------------------------------------------
Rudolf Schreiner, CTO, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS
Tel. +44 1223 420252, Fax. +44 1223 420844 
ras@objectsecurity.com, www.objectsecurity.com
------------------------------------------------------------------------ 





[prev in list] [next in list] [prev in thread] [next in thread]