[zeromq-dev] Fwd: Access control

Martin Lucina mato at kotelna.sk
Tue Jul 27 18:51:58 CEST 2010


ph at imatix.com said:
> On Tue, Jul 27, 2010 at 6:30 PM, Martin Lucina <mato at kotelna.sk> wrote:
> 
> > These days this kind of thing is generally out of the control of the
> > application and handled by administrators using firewall rules.
> 
> Uhm, firewalls are obviously necessary defense for certain kinds of
> attack, but they generally can't handle clients that send malformed
> requests indicating infection or hostile intent.
> 
> A smart HTTP server checks for known attacks (proxy probes, invalid
> paths, SQL injections, over-long requests, too many concurrent
> requests) and adds such clients' IP addresses to a black list.  It
> does not continue to accept them, that would pollute logs.  It cannot
> get firewall assistance for this.

Interesting, I've not actually seen a HTTP server that implements the
functionality you describe. What you are describing is more along the lines
of an IDS coupled with a stateful firewall. 

> Any Internet scale service using 0MQ is going to have to be able to
> temporarily or permanently reject incoming connections on random
> criteria.
> 
> Trivial example: 0MQ XREQ client that makes endless new connections to
> a 0MQ XREP server, specifying new identities each time.  Server
> crashes.  Firewall looks on in amusement.

Stateful firewall of 2010 != what you are thinking. You can define
connection rates per minute, manipulate rules automatically if you so wish.

I'm not saying that 0MQ one day may not have some minimum of the
functionality you're describing, but 0MQ sockets being at the layer they
are in terms of the network stack most of what you're describing is really
a OS/admin/IDS/firewall job and not 0MQ's job.

-mato



More information about the zeromq-dev mailing list