Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: SOAP/XML Protocol and filtering, etc.
From: Darren Reed <darrenr () reed wattle id au>
Date: Tue, 8 May 2001 08:43:57 +1000 (EST)

In some email I received from Mark Nottingham, sie wrote:
I tend to think of SOAPAction this way, recently;

A malicious user cooperating with an external server can easily work
to get arbitrary messages through a firewall or proxy that allows
HTTP to pass through. This possibility is independent of SOAP; while
they might use SOAP toolkits for convenience, they could just as
easily modify them, or cook them up separately.

That's where a DTD would help

For example, a company may decide that it doesn't
want purchase orders to be sent by SOAP, but doesn't mind other
services, like stock quotes. If option #2 were implemented, it could
block any messages with a SOAPAction containing the namespace URI of
known purchase order messages.

This presumes that all web sites will use the _same_ SOAPAction for
purchase orders.  Why can't I use the name MorkAndMindy as the bit
which identifies the SOAPAction even though it is a purchase order?
How much work is required in discovering what known purchase orders
look like ?

The questions that this brings up, then, are:
  - does this offer significant value over traditional URI filtering?

If you can actually give it some meaning (as in have a DTD), then yes.
Otherwise you are just filtering "free form" structured text.

Re: DTD - I think you mean valid, not well-formed. I'm not sure what
value this would add, except to get errors back more quickly ;)

AFAIK, I don't think there can be a DTD for SOAP documents, because
they're not strictly valid; they contain tags from a number of
namespaces, and are dynamically constructed from modules (what we're
calling 'blocks' now).

Right.  My comment about DTDs was more wishful thinking than anything
else.  Even then that only helps ensure correctness and not content
unless the language spec. says certain things...hmm...I'm not yet
familiar enough with what can be done with "xmnls" things - can that
be used to enforce structure?

The goal here is admirable but I think it's effort mis-spent if the
only raison-d'etre for this is for assistance to firewalls.  Look at
what a hit PICS has been for rating web sites so they can be correctly
filtered.  Afterall, the people who are providing content want to
maximise their target audience, not provide helpful hints to foreign
firewalls to filter it out.

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]