|
|
 |
|
Firewalling IIOP - a Problem and the Solution
| Traditional firewall technology, such as packet filtering and
stateful inspection, does not provide the means to securely run
CORBA and EJB based distributed applications through existing
firewall installations: CORBA and EJB middleware do not work
together with traditional firewall concepts, and traditional
firewalls do not provide application level security, such as
fine-grained access control. |
|
|
There are two obvious problems for the use of the Internet Inter-ORB
Protocol (IIOP) across today's firewalls:
- The dynamic allocation of addresses by Corba and EJB middleware
makes it difficult to know in advance the host and port addresses
used for transactions.
 Thus, firewall administrators
cannot set firewall rules for the passing of IIOP traffic through
firewalls that allow IIOP to pass but do not weaken the existing
firewall's security.
- The addressing information of Corba objects and Enterprise Java
Beans, contained in the object references, is invalidated when
crossing a Network Address Translating router or firewall.
Furthermore, reliable enterprise firewall security must comprise
deep packet inspection and security enforcement at the application
protocol level for all IIOP traffic crossing the enterprise's domain
boundary. User authentication, authorization, content filtering,
encryption, and security audit are essential requirements for the
secure exposure of Corba and EJB based services to business partners
and the outside world. For a detailed analysis of IIOP firewall
security, see our white paper.
The only viable solution for the problems and requirements mentioned
above is an application level firewall component for the enterprise's
firewall installation, an IIOP security gateway.
Xtradyne provides the only complete and middleware independent
turn-key solution for IIOP firewalling and
Corba/EJB server security in high-security, high-availability, and
high-performance environments.
|
 |
