[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: IIOP proxy?
From: Rudolf Schreiner <ras () objectsecurity ! com>
Date: 2003-03-27 16:26:44
[Download RAW message or body]
On Thu, 27 Mar 2003, James Richardson wrote:
> Oh dear. Corba through a firewall isn't much fun. Iona do wonderwall,
> which I have heard works....
We tried to use it in a banking environment, several years ago.
Our experiences were not that great...
In general CORBA thru a firewall can be very simple or extremly difficult,
depending on the ORB, the application (e.g. callbacks) and the security
policy to enforce.
> If you want to do it yourself, then you could proxy the service yourself
> using Java & RMI ( which you can get to work though a single port ).
> Should be fairly straightforward, if you have the idls. Using DSI/DII
> could be a pain though, if you dont have 'em
I wrote a prototype of an IIOP proxy based on DSI/IR/DII. Works fine! For
example it reliably proxifies object references in callbacks.
The problem is security enforcement. You can't do real access control or
protect servers from malicious requests at a Domain Boundary
COntroller. There are also lots of issues to integrate a DBC and
access control at the server. The main problem is the enormous flexibility
of CORBA.
Therefore securing a CORBA application needs much more than just a
firewall.
Cheers,
Rudi
------------------------------------------------------------------------
Rudolf Schreiner, CTO, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS
Tel. +44 1223 420252, Fax. +44 1223 420844
ras@objectsecurity.com, www.objectsecurity.com
------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic