RE: [fw-wiz] RPCs over HTTPS through the firewall

From: Ben Nagy (ben_at_iagu.net)
Date: 04/25/03

  • Next message: Behm, Jeffrey L.: "[fw-wiz] ip classless?" 
    To: "'Mark Tinberg'" <mtinberg@securepipe.com>
Date: Fri, 25 Apr 2003 10:01:17 +0200

    > -----Original Message-----
    > From: Mark Tinberg [mailto:mtinberg@securepipe.com]
    >[...
    > On Tue, 22 Apr 2003, Ben Nagy wrote:
    > [snip]
    > > Finally, "conventional" port 443 traffic basically contains
    > unsecured,
    > > unsecureable rubbish, passing through the firewall
    > encrypted, so that
    > > it's all one Big River of Risk as far as an admin is
    > concerned. Does
    > > it matter much if we add RPC to the sludge? Nnnnnnnope.
    >
    > I would not agree with that.

    OK. But even when taken out of context I think I can still back it up...

    > HTTP traffic over 443 or 80 has
    > a similar risk profile, although encrypting traffic over 443
    > prevents several types of shenanigans that can be had on the
    > intervening network links.

    I think the point is that port 443 doesn't just contain HTTP traffic
    anymore, and from an admin point of view it's impossible to tell. The risk
    profile of port 443 isn't really congruent with that of HTTP, and it is one
    of the firewall admin's major bugbears.

    > RPC on the other hand generally
    > exposes a much richer interface, directly into the core of
    > the OS that generally was never designed with security as
    > even a tertiary concern.

    Which is why it's directly exposed on most OSes through the endpoint / port
    mapper, right? C'moooonnnnn.

    And what's this "directly into the core of the OS" stuff? RPC lets
    distributed apps call functions remotely. Yes, it's low level, but that's
    not saying the same thing. If you allow, for example, remote registry access
    (which uses RPC) _then_ you're exposing the core of the OS, but RPC doesn't
    really expose anything by itself.

    > There are way more things that can
    > go wrong and you have far less access control opportunities
    > than with a web service.

    (URL will wrap)
    http://www.googlefight.com/cgi-bin/compare.pl?q1=RPC+exploit&q2=Web+exploit&
    B1=Make+a+fight%21&compare=1&langue=us

    According to Googlefight (mmost acurate of sources ;)

    RPC exploit ( 45 800 results) versus Web exploit (1 140 000 results)

    Flippant, I know, but - sadly - it does reflect reality. It's ironic,
    really, that RPC has been one of the big unix "hack me" services whereas it
    is not one of the worst MS offenders. The Web service, however, has
    historically been the exact opposite. Before anyone gets all "platform
    agnostic" on me, the original question regarded Outlook traffic to an
    Exchange server, so excuse me for being windows centric here.

    > I would say that allowing RPC from
    > random hosts on the Internet without at least authenticating
    > the source before allowing the traffic through is a no-go.

    That's very true. It's also pretty much unrelated to the discussion you
    snipped my quote from. Hardly sporting, old chap.

    > - --
    > Mark Tinberg <MTinberg@securepipe.com>
    > Network Security Engineer, SecurePipe Inc.

    Cheers,

    ben

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Behm, Jeffrey L.: "[fw-wiz] ip classless?"