Hi Bill,
In your model, special firewall setup IS necessary!
In-bound HTTP (even on port 80) from the Internet to someone's
desktop computer or printer is exactly what system admins
don't allow across their firewalls. The inbound HTTP is
allowed ONLY to specific IP addresses (internal Web servers
or FTP servers).
PSI implementations MUST ONLY use the (future) IANA-assigned
PSI "registered port" (a number greater than 1024 for a vendor
defined protocol).
PSI implementations (even by administrator configuration)
MUST NOT ever use port 80.
Firewall friendly (according to the IETF's work-in-progress
guidelines on "firewall friendly") means that applications
never share the same "well-known" (< 1024) or "registered"
port.
The premise that using HTTP transport is "firewall friendly"
is obsolete. The best document on the topic is Keith Moore's
"On the use of HTTP as a Substrate" (RFC 3205, February 2002)
which is Best Current Practice status.
Cheers
- Ira
-----Original Message-----
From: Wagner,William [mailto:WWagner at NetSilicon.com]
Sent: Friday, February 21, 2003 11:55 AM
To: McDonald, Ira; 'Wbmm (E-mail)
Subject: RE: WBMM> RE: Scope and Starting Point
Ira,
Perhaps that was an unfortunate term to use. I think Axeda uses the term
"firewall friendly (C)". The intent is to provide limited access to imaging
devices without jeopardizing enterprise or network security, but also
without requiring special tunneling in the firewalls beyond what must be
done to provide employee internet access. Indeed, it was my understanding
that this is a basic premise of PSI as well.
If there are firewall application cracking, then we must consideration how
to address that. But, from the perspective of someone involved with
deploying such equipment, the approach become much less viable (read
unacceptable to most customers) if special firewall setup is needed.
.
Thanks.
Bill Wagner
-----Original Message-----
From: McDonald, Ira [mailto:imcdonald at sharplabs.com]
Sent: Friday, February 21, 2003 12:35 PM
To: Wagner,William; 'Wbmm (E-mail)
Subject: RE: WBMM> RE: Scope and Starting Point
Hi Bill,
I disagree - "finessing firewalls" by using HTTP (presumably
on specifically port 80?) is NOT a valid goal in my opinion.
Neither customers nor vendors should WANT to "finesse"
firewalls.
Cheers,
- Ira McDonald
PS - Note that most new firewalls do application level cracking
of HTTP port 80 traffic, so "finessing" them is not going to be
easy in the future.
-----Original Message-----
From: Wagner,William [mailto:WWagner at NetSilicon.com]
Sent: Thursday, February 20, 2003 4:04 PM
To: 'Wbmm (E-mail)
Subject: RE: WBMM> RE: Scope and Starting Point
Bob Tailor had a very good suggestion. "..try to identify the issues before
[the conference call]
so you might ask that everyone post them to WBMM before the meeting. For
"simple" issues, we may be able to knock them off in email, saving our phone
time for the more significant/contentious issues."
I had intended that sort of thing in asking for comments on the write-up (or
any other comments that were felt to be germane). But an explicit request
may be more fruitful.
Please forward your issues to the list!
Lets start with a few that I see.
1. Basic purpose: I have defined it as access by an external agent to
imaging devices on an enterprise network, for the purpose of monitoring
usage and alerts, perhaps for doing maintenance tests and general
configuration, and perhaps for downloading files including executables,
fonts, upgrades, etc.
a. Do we have agreement on this?
b. Is there a strong feeing that the scope must be expanded, and if
so, how?
2. Consideration of the approaches in the documents referenced by Ira, Lee
and Don (thank you all). Should we embrace, ignore, or possibly extract some
aspects from which ones?
My contention is:
a. as overall approaches, all seem to lack the concept of finessing
firewalls
b. approaches intended for managing/configuring networks miss the
problems of an external agent trying to manage devices on the network. The
MIS people want some inherent restrictions on what the external site can do,
and in many cases, want to be able to monitor messages being sent out to
make sure that there is nothing untoward.
c. we may however, want to consider some other aspects of the other
approaches. Perhaps the coding or the notion of XML coded RPCs.
3. Is there general agreement on the use of HTTP clients operating in a
Browser-like mode as the mechanism to finesse firewall?
Please feel free to add issues!
Many thanks,
Bill Wagner/NetSilicon
-----Original Message-----
From: TAYLOR,BOB (HP-Vancouver,ex1) [mailto:bobt at hp.com]
Sent: Thursday, February 20, 2003 3:49 PM
To: Wagner,William
Subject: FW: WBMM> RE: Scope and Starting Point
3/4 4-5 EST works for me. One suggestion: Given that you only are
allocating one hour, it might be good to try to identify the issues before
then, so you might ask that everyone post them to WBMM before the meeting.
For "simple" issues, we may be able to knock them off in email, saving our
phone time for the more significant/contentious issues.
bt
-----Original Message-----
From: Wagner,William [mailto:WWagner at NetSilicon.com]
Sent: Wednesday, February 19, 2003 6:11 PM
To: wbmm at pwg.org
Subject: WBMM> RE: Scope and Starting Point
Greetings:
I have attached some thoughts on the use cases the WBMM should be
addressing, and taken a cut at defining a starting point. The document is
posted to:
ftp://ftp.pwg.org/pub/pwg/wbmm/white/wbmm_Scope&Start.pdf
I would appreciate some feedback with the objective of finding common ground
within the working group. Would a conference call on 4 March, 4-5 PM EST be
agreeable?
Bill Wagner