Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall.
From: Richard H. Miller (rick_at_bcm.tmc.edu)
Date: 08/21/05
- Next message: Volker Birk: "Re: Zone Alarm vs Kerio"
- Previous message: Wattsville Blues: "Re: Zone Alarm vs Kerio"
- In reply to: Volker Birk: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Next in thread: Volker Birk: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Reply: Volker Birk: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Reply:(deleted message) Leythos: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Aug 2005 13:54:57 GMT
Volker Birk (bumens@dingens.org) wrote:
: Richard H. Miller <rick@bcm.tmc.edu> wrote:
: > The OP is discussing how to pass Microsoft RPC from one interface to another within
: > the same checkpoint enforcement module. This is what the enforcment modules are
: > designed to do and there is no reason for a VPN since the traffic is only traversing
: > the module and is never on the net.
: Then this type of filtering does not make sense. Why should one filter
: in between one trusted host and another, when they're connected directly?
You do understand the purpose of a 'DMZ' in an enterprise firewall security security
setup? You have multiple interfaces, each with a LAN behind it and a different security
policy for that interface. The classic is a DMZ in which you have a set of machines that
you need to be visible to the internet. They will require some access to specific services
that exist on machines that exist in the internal LAN so the policy needs to be written
to allow those machines to obtain the specific services. In the case of the OP, he has
put a member server into the 'DMZ' and has decided that allowing it to participate in
his domain is an acceptible risk so wants the DCE-RPC traffic to pass from that member
server to his DC. Other traffic between the two is outside of policy and should not
happen.
This is the entire point, you define a policy to specify the appropriate traffic between
host in one zone to another. Bear in mind, Checkpoint with smartdefense is an enterprise
firewall implementation
- Next message: Volker Birk: "Re: Zone Alarm vs Kerio"
- Previous message: Wattsville Blues: "Re: Zone Alarm vs Kerio"
- In reply to: Volker Birk: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Next in thread: Volker Birk: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Reply: Volker Birk: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Reply:(deleted message) Leythos: "Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
