RE: RPC over HTTP security

From: Shawn Wall (sjwall_at_shaw.ca)
Date: 01/31/05

  • Next message: Jordan Dohms: "Re: bandwidth monitoring based on destination IP address" 
    Date: Mon, 31 Jan 2005 08:52:01 -0700
To: "'Depp, Dennis M.'" <deppdm@ornl.gov>, 'Ansgar -59cobalt- Wiechers' <bugtraq@planetcobalt.net>, security-basics@securityfocus.com

    To clarify, I'm not saying it is 'better' or more secure just that I prefer
    a VPN for the following reasons:

    1. VPN provides authentication and encryption.
    2. VPN access can be configured to reject clients if antivirus is not
    installed/updated.
    3. Granular access to network resources, i.e. access lists can be used to
    'contain' remote users.
    4. Reduced exposure of network resources to the public, i.e the VPN is
    usually terminated on the firewall and once authenticated, secure comms with
    specified internal resources is permitted.

    In a way some of these features does make a VPN more secure from a control
    aspect.

    shawn

    -----Original Message-----
    From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    Sent: Saturday, January 29, 2005 9:16 AM
    To: Shawn Wall; Ansgar -59cobalt- Wiechers;
    security-basics@securityfocus.com
    Subject: RE: RPC over HTTP security

    Why is this better than RPC over HTTP? I also have VPN setup. However,
    being able to access Outlook without having to fireup a VPN is very nice.
    Particularly if I want to quickly download my mail before going on a trip or
    attending a meeting.

    Why do you feel VPN is more secure than RPC over HTTP?

    Dennis

    -----Original Message-----
    From: Shawn Wall [mailto:sjwall@shaw.ca]
    Sent: Friday, January 28, 2005 4:12 PM
    To: Depp, Dennis M.; 'Ansgar -59cobalt- Wiechers';
    security-basics@securityfocus.com
    Subject: RE: RPC over HTTP security

    I think your best option is to use a VPN to allow your mobile users access
    to email if they require the functionality of Outlook vs OWA.
    I've deployed this configuration using a PIX and Cisco VPN client. Works
    very well.

    shawn

    -----Original Message-----
    From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    Sent: Friday, January 28, 2005 6:19 AM
    To: Ansgar -59cobalt- Wiechers; security-basics@securityfocus.com
    Subject: RE: RPC over HTTP security

    Ansgar,

    Answers to your questions.

    1) Because the functionality of RPC over HTTP(S) is a great benefit to
    mobile users.
    2) It doesn't. However, by "bloating" the protocol so it will work over
    HTTP, I have also "bloated" the protocol to allow it to work over HTTPS.
    This allows me to secure the traffic.

    Lets now look at RPC. What are the major vulnerabilities of RPC? RPC does
    not authenticate prior to allowing the connection to proceed. Many of the
    RPC vulnerabilities would be neutered if RPC was force to authenticate prior
    to making the connection. RPC over HTTP solves this problem by forcing
    authentication. When I add HTTPS to this senario, I have secured my
    credentials while they are in an untrusted environment and provided
    authentication prior to allowing RPC to proceed. The RPC traffic is also
    passed through the SSL tunnel providing end-to-end security.

    Dennis

    -----Original Message-----
    From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
    Sent: Wednesday, January 26, 2005 8:22 PM
    To: security-basics@securityfocus.com
    Subject: Re: RPC over HTTP security

    On 2005-01-26 sf_mail_sbm@yahoo.com wrote:
    > We are thinking about deploying RPC over HTTP to access email from the

    > Internet

    Ask yourself two questions:

    1. Why does nobody in his right mind do RPC over untrusted networks?
    2. How does bloating a protocol by encapsulating it in plain-text make
       it any better?

    Regards
    Ansgar Wiechers 

    --
"Those who would give up liberty for a little temporary safety deserve
neither liberty nor safety, and will lose both."
--Benjamin Franklin
  • Next message: Jordan Dohms: "Re: bandwidth monitoring based on destination IP address"

    Relevant Pages

    • Re: HELP! SMTP for IMAP stopped working
      ... in for the initial setup to get the RPC over HTTPS ... computer using RPC over HTTP. ... If the authentication was unsuccessful wouldn't I get an error? ... outside of the company I get "unable to relay for joe@xxxxxxx" I ...
      (microsoft.public.exchange.setup)
    • RE: RPC over HTTPS and basic vs NTLM authentication
      ... I enabled ONLY basic authentication on the RPC ... Outlook will identify if it is running on a fast or slow ... Clear - 'On fast networks, connect using HTTP first, then connect using ...
      (microsoft.public.exchange.connectivity)
    • Re: RPC over HTTP removal
      ... that anyone run RPC over HTTP without the S. I don't know what the ... Outlook connects much faster when I have my company VPN running than it does ...
      (microsoft.public.exchange.admin)
    • Re: Exchange 2003!
      ... I am migrating some clients e-mails (as a result of a company merger) ... I will eventually set them up on outlook, which can sync remotely thru RPC ... (VPN and/or HTTP), as mentioned below. ...
      (microsoft.public.exchange.setup)
    • Re: Exchange 2003!
      ... I am migrating some clients e-mails (as a result of a company merger) ... I will eventually set them up on outlook, which can sync remotely thru RPC ... (VPN and/or HTTP), as mentioned below. ...
      (microsoft.public.exchange.misc)
    • Quantcast