RE: Details on Sidewinder RPC proxy support?

["Lee (Lockdown) Hughes" <lee () polestar co uk>]

I'm new to this list, but I'd advise your client not to map client or server
rpc
request through there filewall. You asking for trouble, if you can push them
down
either a Ipsec vpn route, or some of IP tunneling system, then do it.
RPC is a very complex procedure, and has many holes actaully within the
layer 7
part of it, buffer overflows, no parameter checking, possible one of the
most
unhacked and unknown area's on the machine! Hackers like virgin.
You may be able to use the sun security system to deny socket connections
via the source IP address, but again you can just walk through that will a
bit
of IP spoofing on the attackers side. Again, I don't think your client
understands
the nature of the internet, the application should be written with the
public
internet in mind. That's the main difference between an intranet/internet
web application,
you can do lot's of 'clever stuff' as my developers call it on the intranet,
but go
public you have to rethink ALOT of things. 
With re-coding there apps to use common and easily controlled protcols such
a http, then
there not much else I can say. Okay, you can get very expensive and
sophisticated firewall
solutions, but keeping this secure will be a major problem. Without knowning
what
the application does, it's hard to say if using rpc is justified!!!!.
Cheers,
Lee

-----Original Message-----
From: Chris Shenton [mailto:cshenton () uucom com]
Sent: 24 August 1999 19:53
To: Firewall-Wizards@Nfr. Net
Subject: Details on Sidewinder RPC proxy support?


I have a client who is plans to run RPC across their firewall and
believes that SideWinder's recently added RPC proxy may solve all
their problems. Worse, they want to run CORBA in the future, across
the firewall, through the "extranets", across the wan, over the river
and through the woods for all I can tell.

I've not been terribly keen to architect systems this way and would
prefer they put the two machines which (currently) need to speak RPC
on the inside of the firewall. (It's just a app server talking to a
database, after all!).  I think you'd have to have a fairly
sophisticated RPC proxy to track portmapper requests/responses.
Further, if you wanted to keep out hostile traffic rather than simply
act like a stateful packet filter, you'd have to get into the
application layer and examine for hostile requests.

I've read the SideWinder Tech Brief document at
http://www.sctc.com/SW41TechBrief.zip where it says:

    The Sun RPC proxy mediates requests from an RPC client to a server's
    portmapper process. The Sun ONC RPC format is supported. This feature
    will allow client/server applications to communicate securely through
    the firewall.

I need to know how much detail the firewall examines, how fine grained
I can tighten down the RPC proxy on Sidewinder.

* can I retrict certain from/to hosts and ports?
* can I restrict to specific portmapper service numbers?
* can I permit/deny certain RPC commands

Any other thoughts on how to improve security here if they won't let
me re-architect?

Thanks for your help.