RE: MS DCOM & Tunneling TCP/IP

["Phil Cox" <Phil.Cox () SystemExperts com>]

> "firewall-friendly" suite by default.   However, it's developers realized
> the need to implement features which would allow DCOM to be used in a more
> "secure" manner.   I describe two of the possibilities below.

This is a VERY loose definition of "secure" in my book...


> My question is this -- what pros and cons can be made for each method of
> accepting DCOM through a firewall?  I'm more interested the security

Depends on how much you don't want your internal system compromised...

> B) Tunneling DCOM over another port, such as TCP 80 (HTTP).   
> IMHO - with this method I feel like you wouldn't be able to tell much from
> logs, other than a bunch of HTTP traffic is passing through the firewall.

<climb up on soap box>

This should NEVER be allowed as far as I am concerned. This is the epitome of port misuse in my book. I expect Web 
protocols to go over this port, and NOT RPC. THIS IS NOT HTTP traffic, it is RPC traffic, just over port 80, so your 
logs won't show squat. It infuriates me to know that people will go so far as to say, well if they won't let it through 
the ports I want, then I'll just run it over a port they have to let through". This TCP/IP Tunneling is (or at least 
should be) a main selling point for Proxies over filters, so vendors cannot purposefully violate your security 
policy!!!!!

<step down>

Needless to say, I am strongly against generic DCOM in any form traversing the DMZ. Too many "cool features" + too many 
junior coders = Internal net compromise. It is not worth it.

Phil