Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

MS DCOM & Tunneling TCP/IP

From: "Coleman,Clayton L." <lcoleman () foxboro com>
Date: Tue, 9 Nov 1999 12:54:47 -0500 
Many of you are aware Microsoft's Distributed COM (DCOM) is not a very
"firewall-friendly" suite by default.   However, it's developers realized
the need to implement features which would allow DCOM to be used in a more
"secure" manner.   I describe two of the possibilities below.

Rather than using RPC to assign a port between 1024 and 65535 you can
restrict the amount of ports used to a particular range.   As a further
precaution, all DCOM traffic can be limited to TCP, which makes most
firewalls very happy.  Therefore, you could have clients using TCP ports 135
and a few others you specify (let's say 10 in this example) and your
firewall would only allow traffic on the eleven ports.    Having eleven
ports permitting traffic rather than 64511 permitting traffic makes most
security analysts rest a little easier.

Microsoft provides a second method for taming DCOM.  It is by means of
TCP/IP tunneling.  By using tunneling, you can implement DCOM calls across
most any TCP port (if allowed by your firewall).  That means if you want to
use DCOM but you're firewall administrator won't allow 135 and a custom
range, you can sneak the DCOM across port 80 - of course this wouldn't work
in a proxy or stateful-inspection situation.  

My question is this -- what pros and cons can be made for each method of
accepting DCOM through a firewall?  I'm more interested the security
concepts here, not whether DCOM should ever be allowed outbound to Internet
connections.  In our case, we are using DCOM internally to specific hosts,
however we're in a debate as to whether it should be tunneled or not.

A) Allowing TCP port 135 and a range of ports designated for DCOM, i.e.
(1024-1034).  This is much better than allowing the 64511 ports which could
be used in a typical installation.  I do realized most people usually shy
away from allowing RPC in any situation.

B) Tunneling DCOM over another port, such as TCP 80 (HTTP).   
IMHO - with this method I feel like you wouldn't be able to tell much from
logs, other than a bunch of HTTP traffic is passing through the firewall.

For a little more in-depth on DCOM and firewalls, you might want to look at
a white paper by Michael Nelson at
http://www.microsoft.com/Com/wpaper/dcomfw.asp

Clayton L. Coleman
Systems Network Specialist
lcoleman () foxboro com

The Foxboro Company
33 Commercial St., B52-AA
Foxboro, MA 02035
+1 (888) 369-2676 x6388
Previous By Date Next
Previous By Thread Next

Current thread: