Fix it, don't fake it

Are we all under too much pressure to get projects in and working as quickly as possible, or can we just not be bothered doing a really careful, precise job any more? Or is there some fundamental lack of understanding of how things work starting to permeate our industry?

Tell you why I ask. I was looking through some forums the other day for some ‘real-world’ experiences to do with accelerating virtual desktop sessions over WAN links.

The ICA protocol used for the Citrix VDI solution that my customer had deployed does compression and encryption by default, but several WAN optimiser vendors recommend turning this off so that their optimisers can do their own compression. There are pros and cons to this, particularly round supportability, and I was trying to find out what other people were doing.

Anyway, that’s sort of beside the point. As is the way with Internet searches, I got sidetracked. I’d been searching on ICA port numbers, and ended up on a discussion area to do with firewalls. Someone was having problems getting their VDI sessions to work. And the response: “ try just enabling ports 1494, 2598 and 1604 on the firewall, plus 2512 & 2513 and maybe 2897”.

I have an alternative, rather radical solution. How about actually looking on the firewall logs to see what is being blocked first? Or, perish the thought, plugging in a network analyser and looking at the VDI traffic to figure out what ports (and address ranges) you really do need to let through? Or understanding what all these ports are used for (for instance while 1494 is used for normal ICA session communication, if you enable CGP for session reliability, it changes to use 2598, so do you need both?). Rather than just opening up any and all ports that just might have something to do with ICA?

The more rules on a firewall, the more work it has to do. And the greater the chance of error. And the more ports you open up, the less secure it is. And it’s just sloppy—yes, you may get your application to work, but it’s just not a good job. I do know of a company (honestly—I’ve seen the config) which has a Cisco firewall with the immortal line ‘permit ip any any’ in its firewall rules.

You might as well disconnect it and sell it on eBay—at least you’d save the electricity cost—for all the good that box is doing. But the rules had got “too long and complicated” and they were having problems with some applications. Now they all worked fine……

Then there was the company I did some work with a while back that also had a problem getting an application to work through a firewall. They had no idea what ports the application used—so the network guys configured a tunnel between the two routers either side of the firewall, poked all the traffic through that and got the firewall guys to allow all tunnelled traffic through, thereby merrily bypassing all the firewall security. They were quite chuffed at their cleverness.

Although for sheer inventiveness, I had to take my hat off (in a horrified way) to the guys who took bypassing to a whole new level and just plugged a cable in between two routers either side of a firewall and routed their traffic through that instead of going through the firewall, so they didn’t have to keep asking the firewall team to make changes.

Are all of these examples of pressure of work? The application must work, so the end justifies the means? Surely we can do better than this. Even if it’s not causing a security risk (which it is), shouldn’t we be able to take the time to do a job we can be justifiably proud of?

This story, "Fix it, don't fake it" was originally published by


Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon