- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
Many years ago, I admired my sister's deadbolt. I made a silly comment as to how it looked like it would be impossible to break into the New York City apartment. My brother-in-law corrected me. "It's not impossible. It doesn't have to be," he said. "It just has to be harder to break into this apartment than into the other apartments." Think of it as a variation on the joke, "I don't have to outrun the bear. I just have to outrun you."
Now consider this facet of SOA. One of the greatest things about SOA services is that they are discoverable. And one of the worst things about SOA-from a security perspective-is that services are discoverable. In many cases, a cracker simply needs to scan for open ports on your servers to find out that you have a service on a given port. After that, the cracker only needs to figure out how to break your authentication mechanism. Depending on the service, the SOA component could give away everything else the cracker needs to know to access sensitive data.
Obviously, you can choose a superb authentication process to shore up your security. That may be enough. But why not add another layer of protection so that your services are harder to crack than the ones next door?
One especially useful technique, especially if you are responsible for building custom client software to access your SOA components, is to hide your services behind a port knocking-protected firewall.
Before we look at how port knocking works, let's have a micro-tutorial on ports. Every network-accessed service on the Internet uses ports. For example, your Web server, if you have one, most likely uses the standard port, which is port 80. Your Internet e-mail server is probably using port 25. There are many standard ports for common services. Some services use non-standard port numbers, and some services even pick a port number almost at random. Crackers can discover what services your company supports by scanning all the ports on your servers. The port scanners simply knock on your server's door at port 1, check for a response, then knock at port 2, check for a response, and so on, sequentially. If your server responds at port 25, then the cracker has most likely discovered not only that you have an email server, but the cracker can also figure out from the response what kind of email server you have, and what types of security you are using.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment