Firewall Wizards mailing list archives

Re: FW-1 and RPC with MSDTC

From: Darren Reed <darrenr () reed wattle id au>
Date: Sat, 13 Jan 2001 04:32:18 +1100 (EST)

Sigh.  I must be writing emails in Latin these days or new comers to
networking don't know anything but Microsoft.

Let me attempt to summarise the problems I'm seeing with Microsoft RPC
through a firewall:
- you can't control what port number an RPC service gets (you can only
  influence the range used for the random allocation)
- you can't restrict access based on the RPC itself

Let me contrast that with Sun RPC through FW-1:
- you can't control what port number an RPC gets (it either choses or
  gets a random one)
- you can resitrct access based on the RPC itself

So I can block all NFS/file locking RPC requests at the firewall but
still allow status requests.  The reason you can do this is that each
Sun RPC service is identified by an RPC number, eg:
RPC Number Version Protocol Port Service
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100001    3   udp  61193  rstatd
    100001    4   udp  61193  rstatd
A service can notify the RPC manager which port number it is using
(i.e. 2049 for nfs) or request one to be randomly assigned (i.e. 61193
for rstatd).  That aside, if you want to allow rstatd through the
firewall and only rstatd you can because you don't allow any other RPC
lookups to succeed and neither do you have to allow (or restrict) what
port is used because you can get it out of the RPC packets.

Now if you can do all that with MS RPC packets too, someone please send
me the docs on how to decode the "service number" or "service name" in the
RPC-loc packets.  It has got to be there, else the client end cannot talk
to the server, I just don't know how...anyone, please ? :)

IMHO, that knowledge base article is a complete wank unless you plan on
running one RPC service per box.  You can't do that ("20 port minimum")
so the whole thing is really a waste of time so far as security is
concerned.  To reiterate, when I wrote a proxy for Microsoft's RPC I
was not able to set up filtering on the RPC call itself, only decode the
lookup and reply, looking for IP addresses and port numbers to remember
for future use in client-server filtering.

Darren

In some email I received from Andrew Helm-Cowley, sie wrote:

The RPC port is randomly assigned by the RPC-loc request.  You can restrict
the ports that are used by editing the registry (microsoft Q article
Q154596).  By doing this you can lock RPC down to 20 ports (Microsoft
minimum).

Andrew
-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Darren Reed
Sent: Thursday, January 11, 2001 2:58 PM
To: Michael Nelson
Cc: jmegias () hyphop com; firewall-wizards () nfr net
Subject: Re: [fw-wiz] FW-1 and RPC with MSDTC


I think you've misunderstood the question.  At least when one uses Sun RPC
there is a "program number" (/etc/rpc) for each RPC service.  FW-1 allows
you to control access across the firewall based on the RPC number (it's
encoded into the RPC packets).

On the Microsoft front, I've no idea if they have a similar mechanism but
I suspect they do.  Afterall, how else do you get the right port number
back to a query?  The documentation in Samba provides some details and with
some protocol analysis I was able to write a RPC proxy for IP Filter so I
could firewall an Exchange server and still have things work without having
to open up a bunch of ports for no good reason - only 137/tcp or whatever
it is where those lookups happen.

Darren

In some email I received from Michael Nelson, sie wrote:

That's because the RPC port number is random. See
http://www.microsoft.com/com/wpaper/dcomfw.asp (written by yours truly)
for more info. The info
applies to RPC as well as DCOM.

-mike

On Tue, 9 Jan 2001, Javier Megias wrote:

We're trying to get one server, that has IIS4 with MSDTC components talk
with a SQL Server 7 database with MSDTC,that is in the other interface

of

the firewall (checkPoint FW-1 SP3). It complains that it can't use RPC

or

that the RPC call isn't working., so we're triying to find out what RPC

app

numer we must use; have tried almost everything, and we can't get it to
work. The IIS is inside a NT Domain, and the SQL Server 7 is inside a NT
group.

                  IIS ----------- FW-1 ------SQLServer7

I think that the fact could be that we don't really know how RPC really
works :-) . Any wizard could light it?
Thanks,
Javier Megias


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Role of a Security Administrator Maddy (Jan 08)
- Re: Role of a Security Administrator Bennett Todd (Jan 08)
- Re: Role of a Security Administrator Webmaster (Jan 08)
- Re: Role of a Security Administrator Magosányi Árpád (Jan 08)
  - FW-1 and RPC with MSDTC Javier Megias (Jan 10)
    - Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 11)
    - Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
    - RE: FW-1 and RPC with MSDTC Andrew Helm-Cowley (Jan 12)
    - Re: FW-1 and RPC with MSDTC Darren Reed (Jan 12)
    - Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)
    - Re: FW-1 and RPC with MSDTC Michael Nelson (Jan 15)
- Re: Role of a Security Administrator Eric Hall (Jan 10)
- <Possible follow-ups>
- Re: Role of a Security Administrator Harris Raymond D JR Civ AFAA/MSI (Jan 10)