Home Comments

suggest for Security of ice

dragzhbdragzhb Member ✭✭
I have found that ice is very excellent than CORBA, special for Security,But I think it can be improved better.

one suggest:

This time ICE implement Security in firewall, But I think it can be implement in ICE inner, this time in inner network, anybody who know IP address and Port which ICE is listened can connect to it. I think that who want to connect to ICE Services must put username and password, if not, then ICE don't let it to connect. and also ICE can implement java J2EE Security.

two suggest:

ICEstorm is very simple and have no Security, anybody who knnow IP address and Port can connect to it. I think IceStorm may implement security too.
and IceStorm can implement Java™ Message Service (JMS) 1.1 Requirements

Comments

  • marcmarc FloridaAdministrators, ZeroC Staff Marc LaukienOrganization: ZeroC, Inc.Project: The Internet Communications Engine ZeroC Staff
    Regarding your first suggestion, Glacier can do exactly that. It acts as a firewall, session manager, and can also use any password authentication mechanism of your choice by implementing the PermissionsVerifier interface.

    Regarding the second suggestion, you can use SSL with client-side authentication. Then only clients holding the proper certificate can connect.
  • dragzhbdragzhb Member ✭✭
    Thanks for your ansower.
    for your second ansower, but java can't use SSL, How can I implement it in java?
  • marcmarc FloridaAdministrators, ZeroC Staff Marc LaukienOrganization: ZeroC, Inc.Project: The Internet Communications Engine ZeroC Staff
    Sorry, there is currently no SSL for Ice for Java. You could, however, have all clients route through Glacier, and use IceStorm on the back-end.
  • hellocyfhellocyf Member
    is glacier security enough?

    the frontend which run glacier must open all port,
    that was very dangerous!
  • marcmarc FloridaAdministrators, ZeroC Staff Marc LaukienOrganization: ZeroC, Inc.Project: The Internet Communications Engine ZeroC Staff
    You don't need to open all ports, only the ones >= 1024. I don't see why this is dangerous, if you don't run any programs that listen on these ports (other than Glacier).
  • hellocyfhellocyf Member
    ok

    that's ok,port>= 1024

    The method of Glacier is defective in practice.
    ,because client network environment is protected due to security,and in such circumstance,maybe only several ports could be accessible.
  • marcmarc FloridaAdministrators, ZeroC Staff Marc LaukienOrganization: ZeroC, Inc.Project: The Internet Communications Engine ZeroC Staff
    I disagree. We use Glacier all the time in practice, and I can't see anything defective.

    For the client side, you don't need to open any incoming ports, only outgoing ports. This is the default for all firewalls I know of (dlink, linksys, ...), meaning that for the client side firewalls, you usually don't need to configure anything.
  • hellocyfhellocyf Member
    1 port

    They will close port mostly,except some special port ,such as 80
    in many office.These clients will not connect to server.So fewer port will
    make more simply to process such Scenario.
    we can select a very popular port,such as 80,so most of client can connect.
    and glacier starter will pass connection to router,that's will decrease dependecy will network evironments.
Sign In or Register to comment.