IIOP and CORBA are not tunneled over HTTP solely to bypass firewalls.

Those firewalls are there for a reason! Obviously, the firewall can't protect from actively malicious tunneling through HTTP, but widespread use of SOAP will open up whole new classes of security problems when every VB or Java 'programmer' makes SOAP calls with no thought to the trustworthiness of the channel and remote agent.

Widespread RPC is the kind of thing that must be carefully designed and implemented to minimize these problems. Fast-tracking it past IT security professionals by trying to pass it off as a previously accepted protocol is not conducive to this.

Security will suffer until people upgrade their simple layer 3 firewalls to do layer 7 introspection, making them more complicated and less secure.

Perhaps before you accuse others of speaking beyond their knowledge, you should consider the limits of your own.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/315/10140#10140