[nycphp-talk] Secure (XML-RPC) connection
Chris Bielanski
Cbielanski at inta.org
Wed Mar 24 11:25:28 EST 2004
> > ... most firewalls should be able to handle a security protocol such
> that you can
> > allow SSL in and out only for specific IP addresses,
>
> I do't see that functionality anywhere in the config for the BEFSX41.
> :-(
My comment might be a little misleading - what I meant is "allow traffic in
and out for specific IP addresses" I figure this might be under IP
Filtering, if it's there at all?
> > SSL runs on 443 and not 80, so that's one problem out of the way.
>
> 443, 80, it doesn't matter which port is open. What matters
> is *A* port
> is open.
>
True, but then likely so is 53 for DNS, 3306 for MySQL, and probably a few
others, despite your precautions. Locking an entire server down to do all
its work over a single port may be folly, so consider this carefully - is it
a problem you must solve in total, or merely steer clear of?
> > As far as emulating a webserver, there's not
> > much you can do about that. However, if you have your *own*
> code running at
> > both ends, there's nothing to stop you from using private
> encryption on the
> > datastream within the SSL tunnel.
>
> Hmmm, that would take care of web server emulation cracker,
> then the only way to
> break in would be to crack the web server emulate the calls from iside
> the web server box. Better, better...
Actually that's about all you've got left. If someone can get inside your
webserver, they've probably already severely compromised the firewall. I'd
probably ask someone more in tune with Linux security to chime in on that.
So I'm going to restate the standing question:
How can you prevent someone from stealing all the chickens once they've made
it past the firewall and into the henhouse?
~Chris
More information about the talk
mailing list