Re: RPC 135

[Norman Zhang <norman.zhang () gmail com>]

Paul D. Robertson wrote:
> You do realize that once you start to allow any sort of RPC through your
> firewall it starts to defeat the purpose of having one, don't you?

I believe on the Checkpoint FW, the particular RPC is locked down to 
program number and port mapper UUID for DCOM/MS-RPC. Thus, I think 
stateful inspection can be more thorough as compared to TCP\135?

> There have been enough implementation problems in both Windows and Unix RPC
> programs over the years that the end-game isn't likely to decrease your
> risk all that significantly.  Firewalls are boundary protection devices
> for different trust boundaries, allowing DCOM and RPC pretty much means
> any compromise at either end "wins."
>
> Also, portmapper just tells you where RPC services live, you still have to
> allow those services to get any value from them, and well, that's where
> the bugs have been...

Basically, I could allow the RPC service to pass through. Then only 
specific service that are tied to that port can get through? E.g., 
Allowing MS-RPC\135, then DC replication and authentication will able to 
go through. If I allow TCP\135, it mean any TCP traffic going through 
port 135 will be able to get through.

Regards,
Norman Zhang

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards