RE: [fw-wiz] firewall for MS RPC

From: Thomas W Shinder (tshinder_at_tacteam.net)
Date: 04/09/04

Next message: Josh Welch: "RE: [fw-wiz] Static ARP firewall advice"

Previous message: Claussen, Ken: "RE: [fw-wiz] (no subject)"
Maybe in reply to: Tichomir Kotek: "[fw-wiz] firewall for MS RPC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Daniel Chemko" <dchemko@smgtec.com>, "Tichomir Kotek" <tichomir.kotek@lynx.sk>, "fw" <firewall-wizards@honor.icsalabs.com>
Date: Thu, 8 Apr 2004 21:49:11 -0500

Hi Daniel,

Are these solution specific for the Exchange UUIDs? That's where the
security lies, not in allowing inbound access to the port mapper alone,
which is certainly NOT secure. ISA firewalls allow secure remote access
to the Exchange RPC service, and CP, but I'm not aware of any other
firewall that can do it securely.

HTH,
Tom

-----Original Message-----
From: Daniel Chemko [mailto:dchemko@smgtec.com]
Sent: Monday, April 05, 2004 11:02 AM
To: Tichomir Kotek; fw
Subject: RE: [fw-wiz] firewall for MS RPC

> Is there a firewall/solution/workaround that does it better ?

MS-RPC, which is really DCE-RPC is well documented. It is a public
standard, so many shouldn't have a problem implementing the standard if
they really wanted to. Mind you, there are also secure variants of
DCE-RPC where they are SSL protected. In this mode, you can't use L7
filters and you may be able to NAT the session. This is one of the built
in features of SSL to not allow you to intercept traffic. I have not
looked into DCE, so there may be workarounds that I'm not aware of.

That said, having MSRPC with a windows machine open on the internet is
pretty frigging dangerous. I'd avoid it like the plague.

> there are workaround I'm aware of :
> 1. RPC over HTTP/HTTPS - requires ISS server 2. PPTP/L2TP tunnel
> with/without IPsec

I'd go with #2
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Josh Welch: "RE: [fw-wiz] Static ARP firewall advice"

Previous message: Claussen, Ken: "RE: [fw-wiz] (no subject)"
Maybe in reply to: Tichomir Kotek: "[fw-wiz] firewall for MS RPC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]