Firewall Wizards mailing list archives
MS DCOM & Tunneling TCP/IP
From: "Coleman,Clayton L." <lcoleman () foxboro com>
Date: Tue, 9 Nov 1999 12:54:47 -0500
Many of you are aware Microsoft's Distributed COM (DCOM) is not a very "firewall-friendly" suite by default. However, it's developers realized the need to implement features which would allow DCOM to be used in a more "secure" manner. I describe two of the possibilities below. Rather than using RPC to assign a port between 1024 and 65535 you can restrict the amount of ports used to a particular range. As a further precaution, all DCOM traffic can be limited to TCP, which makes most firewalls very happy. Therefore, you could have clients using TCP ports 135 and a few others you specify (let's say 10 in this example) and your firewall would only allow traffic on the eleven ports. Having eleven ports permitting traffic rather than 64511 permitting traffic makes most security analysts rest a little easier. Microsoft provides a second method for taming DCOM. It is by means of TCP/IP tunneling. By using tunneling, you can implement DCOM calls across most any TCP port (if allowed by your firewall). That means if you want to use DCOM but you're firewall administrator won't allow 135 and a custom range, you can sneak the DCOM across port 80 - of course this wouldn't work in a proxy or stateful-inspection situation. My question is this -- what pros and cons can be made for each method of accepting DCOM through a firewall? I'm more interested the security concepts here, not whether DCOM should ever be allowed outbound to Internet connections. In our case, we are using DCOM internally to specific hosts, however we're in a debate as to whether it should be tunneled or not. A) Allowing TCP port 135 and a range of ports designated for DCOM, i.e. (1024-1034). This is much better than allowing the 64511 ports which could be used in a typical installation. I do realized most people usually shy away from allowing RPC in any situation. B) Tunneling DCOM over another port, such as TCP 80 (HTTP). IMHO - with this method I feel like you wouldn't be able to tell much from logs, other than a bunch of HTTP traffic is passing through the firewall. For a little more in-depth on DCOM and firewalls, you might want to look at a white paper by Michael Nelson at http://www.microsoft.com/Com/wpaper/dcomfw.asp Clayton L. Coleman Systems Network Specialist lcoleman () foxboro com The Foxboro Company 33 Commercial St., B52-AA Foxboro, MA 02035 +1 (888) 369-2676 x6388
Current thread:
- MS DCOM & Tunneling TCP/IP Coleman,Clayton L. (Nov 10)
- Re: MS DCOM & Tunneling TCP/IP Joseph S D Yao (Nov 10)
- RE: MS DCOM & Tunneling TCP/IP Phil Cox (Nov 14)