Sunday, June 06, 2004
weekend followup: standards good. stupidity bad.
I suppose that it's just bitterness after yesterday's shiny new firewall installation/de-intallation (mentioned in the previous post), but I feel the need to mention this...
The company that makes the shiny new firewalls that we (hope to one day) use at our colocation facility also made the firewall that we recently installed at our main office. The office firewall is a perfectly good appliance in most respects, but it has one limitation that just boggles the mind.
A few days after installing the office firewall, I started hearing curious intermittent complaints about some Web sites behaving oddly, certain (nonessential third party) applications not working, and the like. After a fair number of hours of review, we found that SSL was the common thread in all cases.
It turns out that the firewall that we installed in the office takes a very strict view of RFC 2246 (The TLS Protocol Version 1.0); if the communication doesn't follow the RFC, it is dropped by the firewall.
That seemed great, at first.
"Excellent default setting!" we said, "it would have been nice to know about it before we installed the device, but nevertheless cool! But since we live in the real world, though, where we have to communicate with people who are using software that may not be strictly RFC compliant, how do we turn this feature off?"
Turns out you do that by moving out into slightly experimental territory...there is no "stock" way to turn this feature off. RFC compliance seemed like to good idea to the designers and engineers, so RFC compliance was dictated. It apparently never occurred to anyone involved that the world might not always comply with the RFC.
If the issue with the shiny new firewalls is anything similar to this, I may have to kick somebody's ass.