August 03, 2004, 12:00 AM — To survive in this business (or any business) we have to build mental models of the complex systems that surround us. These models are often severe simplifications of reality.
Here are some examples:
- complex carbohydrates are good for you
- radiation is harmful
- block everything from the Internet except port 80 and your network will be secure
Let us look at the last one of these. The simplest mental model for a network firewall is as follows. Think of an Internet connection as a long line of faucets, each of which has a its own unique number known as a port number. Port 80 is the one used for web pages, so you leave that one open to allow the outside world to access your website. All other ports are for computer-to-computer trickery. Turn as many of these off as you possibly can. If anybody asks you to open up a port number, look horrified and refuse. Repeat until the requester goes away.
This model, simplistic though it is, works fairly well if you think of the Web as a publishing technology. There are web pages. Web pages sit on web servers. Web browsers ask for web pages on Port 80. Port 80 traffic is just page requests coming in (HTTP) and page data going out (HTTP+HTML). Simple, safe.
Unfortunately, the word "publishing" takes on a whole new meaning in the electronic world. As the web evolved from static pages to CGI scripts to application servers, the act of "publishing" something has become synonymous with running a program on the server - your server.
Now, running applications is a more dangerous thing than serving up static HTML pages for sure. However, the metaphor of Port 80 proved strong enough to last the onslaught of the application servers. Who cares if port 80 traffic causes programs to run as long as those
programs are just generating Web pages? What damage can they do?
Quite a lot actually, but I digress. Recently, the Web has evolved again. The concept of a "Web Service" is aimed squarely at the idea of computer-to-computer trickery (the very kind of interaction you block ports with your firewall to stop!) occurring over the Web. In other words, over our benign, harmless friend, port 80.
Web Services spell the end (thankfully!) of the simple mental model of firewalls. With Web Services, XML technologies are used to allow essentially any computing operation to be expressed in what looks to the firewall like a benign HTTP "give me this page" request.
We need a new metaphor. The old Epithet of "port 80 good, other ports bad" just does not pass muster anymore. I do not have any suggestions for what the new metaphor should be. I do however, have a word I use to explain the dangers that accompany the benefits of Web Services in enterprise applications. That word is steganography[1].
Steganography is the science of hiding sensitive information in what looks like harmless information. In antiquity, secret messages were tattooed onto the shaved heads of messengers who then regrew their hair. Invasion plans were disguised as laundry lists. You get the idea.
Steganography in the modern world is the science of hiding sensitive information in harmless looking data streams such as digital photographs, audio streams, Web Service payloads...
Appearances can be deceiving. Port 80 is not the harmless thoroughfare it might first appear to be. If I were a network administrator out there today, I wouldn't be taking my eye off of port 80 for as much as a second.
