Date: Tue, 17 Mar 1998 10:32:50 -0500
From: Brian Blevins <brian@maxtech.com>
To: David.Brownell@Eng,
Subject: A Secure Java Firewall Tunnel
This is a multi-part message in MIME format.
--------------3F39AE38544AD42F72B833E6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
David,
Concerning "A Secure Java Firewall Tunnel", which I read at:
http://www.oadg.or.jp/activity/mncrs/mobcomm/fwt/doc/mncrs.html
This is a brilliant concept. Encryption across the
Internet really should not be an application level issue.
I believe that IPv6 addresses this at the transport level.
However, there is a real need for current java applets
running on current networks.
Why does the "javax.net" need to be used? Why can a signed
applet not set the standard "java.net" socket factory to implement
whatever secure tunnelling service it needs? Is the standard
Socket factory not responsible for DatagramSockets as well as
regular Sockets? I realize that JDK 1.1 is required to allow
subclassing of the Socket classes, I just don't understand why
the "javax.net" needs to be involved.
Also:
> At this time, this only works for TCP based application protocols.
> Most "mission critical" Internet applications today run over
TCP. It has highly desirable
> scaling properties, due to extensive tuning of TCP stacks.
Also, it doesn't require the
> application developers to master any of the "rocket science"
associated with datagram
> protocols (such as UDP).
Wrong answer. Many database applications use UDP because it better
fits the query/response model. There is no "rocket science" to UDP.
Professional developers that do not expect to develop code with some
point-and-click GUI builder can generally handle UDP just fine. You
need to support all IP traffic, including UDP.
There are tradeoffs between approaches for supporting
application tunneling through the
firewall. In some cases, it takes work to make the protocols
be "firewall aware". In
particular, sites will differ on their willingness to support
the "power user" scenario of full
IP access to corporate networks:
True enough. Tunnel access should be controlled and limited to certain
hosts, ports etc behind the firewall. The key is still not impact the
application.
--------------3F39AE38544AD42F72B833E6
Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Brian Blevins
Content-Disposition: attachment; filename="vcard.vcf"
begin: vcard
fn: Brian Blevins
n: Blevins;Brian
org: Maximum Computer Technologies, Inc.
adr: 1000 Cobb Place Blvd;;Suite 210;Kennesaw;GA;30144-3684;USA
email;internet: brian@maxtech.com
title: Senior Software Engineer for Advanced Technologies
tel;work: +1 (770) 428-5000
tel;fax: +1 (770) 428-5009
x-mozilla-cpt: ;0
x-mozilla-html: FALSE
version: 2.1
end: vcard
--------------3F39AE38544AD42F72B833E6--