Security Basics mailing list archives
RE: RPC over HTTP security
From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Tue, 01 Feb 2005 07:26:51 -0500
The "Best" option depends on their business requirements and the amount of risk they are willing to take. VPN is a good solution. To say it is best in all environments is a bit presumptuous. Dennis -----Original Message----- From: Shawn Wall [mailto:sjwall () shaw ca] Sent: Friday, January 28, 2005 4:12 PM To: Depp, Dennis M.; 'Ansgar -59cobalt- Wiechers'; security-basics () securityfocus com Subject: RE: RPC over HTTP security I think your best option is to use a VPN to allow your mobile users access to email if they require the functionality of Outlook vs OWA. I've deployed this configuration using a PIX and Cisco VPN client. Works very well. shawn -----Original Message----- From: Depp, Dennis M. [mailto:deppdm () ornl gov] Sent: Friday, January 28, 2005 6:19 AM To: Ansgar -59cobalt- Wiechers; security-basics () securityfocus com Subject: RE: RPC over HTTP security Ansgar, Answers to your questions. 1) Because the functionality of RPC over HTTP(S) is a great benefit to mobile users. 2) It doesn't. However, by "bloating" the protocol so it will work over HTTP, I have also "bloated" the protocol to allow it to work over HTTPS. This allows me to secure the traffic. Lets now look at RPC. What are the major vulnerabilities of RPC? RPC does not authenticate prior to allowing the connection to proceed. Many of the RPC vulnerabilities would be neutered if RPC was force to authenticate prior to making the connection. RPC over HTTP solves this problem by forcing authentication. When I add HTTPS to this senario, I have secured my credentials while they are in an untrusted environment and provided authentication prior to allowing RPC to proceed. The RPC traffic is also passed through the SSL tunnel providing end-to-end security. Dennis -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Wednesday, January 26, 2005 8:22 PM To: security-basics () securityfocus com Subject: Re: RPC over HTTP security On 2005-01-26 sf_mail_sbm () yahoo com wrote:
We are thinking about deploying RPC over HTTP to access email from the
Internet
Ask yourself two questions: 1. Why does nobody in his right mind do RPC over untrusted networks? 2. How does bloating a protocol by encapsulating it in plain-text make it any better? Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- RE: RPC over HTTP security Shawn Wall (Jan 31)
- <Possible follow-ups>
- RE: RPC over HTTP security Depp, Dennis M. (Feb 01)
- Re: RPC over HTTP security Steve (Feb 02)
- Re: RPC over HTTP security Barrie Dempster (Feb 03)
- Re: RPC over HTTP security Ansgar -59cobalt- Wiechers (Feb 04)
- Re: RPC over HTTP security Barrie Dempster (Feb 07)
- Re: RPC over HTTP security Barrie Dempster (Feb 03)