Re: RPC Dynamic Ports? Windows 2003 with Checkpoint firewall.

From: Volker Birk (
Date: 08/21/05

Date: 21 Aug 2005 16:17:13 +0200

Richard H. Miller <> wrote:
> : > The OP is discussing how to pass Microsoft RPC from one interface to another within
> : > the same checkpoint enforcement module. This is what the enforcment modules are
> : > designed to do and there is no reason for a VPN since the traffic is only traversing
> : > the module and is never on the net.
> : Then this type of filtering does not make sense. Why should one filter
> : in between one trusted host and another, when they're connected directly?
> You do understand the purpose of a 'DMZ' in an enterprise firewall security security
> setup?

If you mean "demilitarized zone" with DMZ, a common name for a filtered
zone with a middle level of security in a zone concept, yes, I do.

> You have multiple interfaces, each with a LAN behind it and a different security
> policy for that interface. The classic is a DMZ in which you have a set of machines that
> you need to be visible to the internet. They will require some access to specific services
> that exist on machines that exist in the internal LAN so the policy needs to be written
> to allow those machines to obtain the specific services. In the case of the OP, he has
> put a member server into the 'DMZ' and has decided that allowing it to participate in
> his domain is an acceptible risk so wants the DCE-RPC traffic to pass from that member
> server to his DC. Other traffic between the two is outside of policy and should not
> happen.

OK, then we have the error here. It is a very bad idea to have a domain,
which is in a high security zone and in a DMZ at the same time.

This should never happen; it's a design flaw, because it breaks the
principle of separation, which is the basic idea of a zone concept
after all.


"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
                                    Harald Schmidt zum "Weltjugendtag"

Relevant Pages

  • Re: DMZ Web Servers
    ... Suppose that your DMZ is security zone 1, your LAN is zone 2 and the ... Subject: DMZ Web Servers ...
  • Virtualisation of two security domains
    ... architecture to separate two security domains e.g. DMZ and Internal ... Zone is through fully segregated physical server and network hardware. ...
  • Re: DMZ (De-militarized Zone)
    ... Because you probably need more public address space for your public servers, ... There are 2 basic DMZ architectures, both can be realized with public ... Internet ... separated by whatever filtering device. ...
  • RE: Trusting external domain
    ... allow zone transfers to the IP's on the other domain's DNS servers. ... Create secondary DNS zones in each domain for the other domain (eg: ... down your firewall access from the DMZ to your internal domain). ...
  • Re: Netscreen VPN help needed
    ... hosts in that zone are unable to access the lan-to-lan tunnel. ... In zone dmz, there is no policy for the vpn or a route to the ... When I tried adding a policy to zone 'dmz' for the vpn traffic ...