tag:blogger.com,1999:blog-4088979.post9175280840404536461..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Not Your Father's TCP/IP StackRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-27207486930769498662007-02-24T07:20:00.000-05:002007-02-24T07:20:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-58832626684926292622007-02-23T00:25:00.000-05:002007-02-23T00:25:00.000-05:00Now that Cisco bought Reactivity, you can expect e...Now that Cisco bought Reactivity, you can expect even more angle brackets in the stack...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-50276961272076309062007-02-13T15:14:00.000-05:002007-02-13T15:14:00.000-05:00Rich,I can't remember an instance over the last ye...Rich,<BR/><BR/>I can't remember an instance over the last year where I worked on a web service based project that ran over port 80. Its not good practice to run services off the same service you run your static content, and last I checked, most application containers were configurable to run on different ports than 80 (Tomcat, Websphere, etc), allowing for seperation of services. Running on port 80 is optional, not a requirement. And even if it wasn't, how hard would it be to set up a rule to monitor a particular context patch in a GET or POST request to determine if a call was to a static HTML page or to a web service?<BR/><BR/>In all web service implementations I've done in the last 6 months, the security folks had to have their arms twisted to do the leg work to do the necessary configuration as mentioned above. God forbid admins should take a break from their busy day of looking at videos on YouTube to do their jobs, none the less actually be able to correctly configure a router or firewall without trial and error (which happens more often than you think). This seems more of an issue of policy than a technical flaw. Smarter folks than us are backing this, so there might be something to it.<BR/><BR/>Also, why are you knocking web services for riding on HTTP's back when SSH is just as guilty, if not more so. Last I check, SSH allowed for several different encryption schemes, a telnet like session, an FTP like session, a RCP like session, X11 forwarding, and port tunneling, which, by contrast, is a whole lot more dangerous than offering a structured service to return stock quotes over a single, unencrypted port. SSH does more to throw the TCP-IP stack out the window than any other standard out there since with port forwarding, youd have to take the "nice" diagram and start looping layers 3 and 4 up through layer 7 over and over again.<BR/><BR/>Web services aren't the holy grail of programming, despite what the Java and .Net folks might like us to believe. In fact, it adds tons of unnecessary overhead. But the fact is, the tools exist for making these implementations based on them extremely easy to develop and deploy, far more so than any previous technology. While I don't believe that the future of computing is the strictly SOA that M$ seems to be forcasting and we can throw out our desktops in favor of thin web clients, it does provide a far more attractive alternative than its predecessors. <BR/><BR/>Just some food for thought.John Wardhttps://www.blogger.com/profile/10741149622435353727noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-70417713016330055522007-02-13T05:45:00.000-05:002007-02-13T05:45:00.000-05:00We've got 65535 TCP ports to use and the whole wor...<I>We've got 65535 TCP ports to use and the whole world is collapsing onto one</I><BR/><BR/>But there's a fair argument that it's us security pros that have made that the case. Since port 80 is often the only thing not firewalled, that's what get used.<BR/><BR/>ArthurAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-59147763669186673152007-02-13T02:36:00.000-05:002007-02-13T02:36:00.000-05:00My students would freak if I showed them that!!I t...My students would freak if I showed them that!!<BR/><BR/>I think I'll stick to grand-daddies stack and let them find the real thing when they grow up.<BR/><BR/>Sometimes it's good to learn about motors a-la 1950 before being exposed to the supercharged monstors that are on todays roadsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-71120525590825690432007-02-12T16:22:00.000-05:002007-02-12T16:22:00.000-05:00My initial snarkiness suggests that Cisco isn't do...My initial snarkiness suggests that Cisco isn't doing anyone any favours, conceptually or otherwise, by adding to ISORM and calling it 'XML Networking' just because you can hardware accelerate some of it.<BR/><BR/>Look at it this way though, that is 65534 less ports to worry about;-) <BR/><BR/>I refuse to wax nostalgic about the networking days of yore... if I wasn't able to spend half to two-third of any given day watching clevery disguised gorilla marketting adverts on youtube... oh, that would be a reality too terrible to imagine. =DJason Meltzerhttps://www.blogger.com/profile/05689158632756750517noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-81861972506059177252007-02-12T15:58:00.000-05:002007-02-12T15:58:00.000-05:00This comment has been removed by the author.Jason Meltzerhttps://www.blogger.com/profile/05689158632756750517noreply@blogger.com