Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall.
From: Volker Birk (bumens_at_dingens.org)
Date: 21 Aug 2005 16:17:13 +0200
Richard H. Miller <firstname.lastname@example.org> wrote:
> : > The OP is discussing how to pass Microsoft RPC from one interface to another within
> : > the same checkpoint enforcement module. This is what the enforcment modules are
> : > designed to do and there is no reason for a VPN since the traffic is only traversing
> : > the module and is never on the net.
> : Then this type of filtering does not make sense. Why should one filter
> : in between one trusted host and another, when they're connected directly?
> You do understand the purpose of a 'DMZ' in an enterprise firewall security security
If you mean "demilitarized zone" with DMZ, a common name for a filtered
zone with a middle level of security in a zone concept, yes, I do.
> You have multiple interfaces, each with a LAN behind it and a different security
> policy for that interface. The classic is a DMZ in which you have a set of machines that
> you need to be visible to the internet. They will require some access to specific services
> that exist on machines that exist in the internal LAN so the policy needs to be written
> to allow those machines to obtain the specific services. In the case of the OP, he has
> put a member server into the 'DMZ' and has decided that allowing it to participate in
> his domain is an acceptible risk so wants the DCE-RPC traffic to pass from that member
> server to his DC. Other traffic between the two is outside of policy and should not
OK, then we have the error here. It is a very bad idea to have a domain,
which is in a high security zone and in a DMZ at the same time.
This should never happen; it's a design flaw, because it breaks the
principle of separation, which is the basic idea of a zone concept
-- "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in deutschen Schlafzimmern passiert". Harald Schmidt zum "Weltjugendtag"