Living with Firewalls

Owen Rees
Hewlett-Packard Laboratories, Bristol
Owen_Rees@hpl.hp.com

Distributed object computing is emerging from the private networks controlled by
a single organisation out onto the public Internet. As this happens, the object
interactions have to cross the organisational boundaries that are defended by
firewalls. Conventional firewall control mechanisms are not well matched to the
needs of distributed object computing, and there is a potential conflict that
can lead to weakened security, reduced functionality, or both.

Approaches based on undermining, working around or otherwise defeating the
firewall may be the only option for individuals experimenting with the
technology, but these are not a good basis for secure distributed computing
across enterprise boundaries. If distributed object computing is to become the
platform for the inter-enterprise co-operation of the future, it must work with
the firewalls to support and enforce the enterprise security policy.

Although there are some descriptions of use DCOM or RMI through firewalls, only
for CORBA has there been a substantial effort to address the issues and specify
mechanisms to support interactions through firewalls. Unfortunately, even for
CORBA, the specification seems to aim more at getting the interactions to work
despite the firewall, rather than devising a mechanism that supports secure
controlled interaction in co-operation with the firewall.

The objective of most current efforts seems to be to add a little gloss to the
web browsing experience through applets that interact with objects hosted at the
web server, or reachable via that server. With this objective it is reasonable
to assume that there is little incentive to qualify and deploy distributed
object support mechanisms at the firewall.

If we adopt the different objective of enabling full-scale inter-enterprise
distributed computing to support collaborative ventures, there is an incentive
to deploy the appropriate technology at the firewall. This leads to a quite
different emphasis in the design of the mechanism. Security, and retaining
control over the visibility of resources, are key issues. Coping with the
restrictions placed on an applet by a browser becomes less important.

Fortunately, CORBA already has all the necessary features that allow the
creation of a gateway that is transparent to the interacting objects. The
objects are unaware of the gateway; the fine-grained access control that it can
enforce appears as if it were a feature of the application objects.

A CORBA gateway of this kind has been implemented with both a generic proxy
mechanism that can handle any type, and some add-on type-specific proxies to
explore the extensibility and customisation that will be essential to support
application requirements. With the addition of a privileged relay component,
this gateway implementation can mediate CORBA interactions across the HP
Praesidium VirtualVault, which uses multi-level security features of the
underlying operating system to separate its network interfaces. The VirtualVault
configuration has been used to verify invocations across two gateways,
configured in client-side and server-side roles.

The gateway implementation shows that for CORBA at least, object interactions
can take place across firewalls without undermining the security policy by
creating dangerously large holes, or by exposing unnecessary objects. This
sympathetic approach to firewall issues is essential if distributed object
computing is to be the preferred platform for inter-enterprise collaborations.