Firewall Wizards mailing list archives
Re: RPC 135
From: Norman Zhang <norman.zhang () gmail com>
Date: Tue, 31 May 2005 21:06:40 -0600
Paul D. Robertson wrote:
You do realize that once you start to allow any sort of RPC through your firewall it starts to defeat the purpose of having one, don't you?
I believe on the Checkpoint FW, the particular RPC is locked down to program number and port mapper UUID for DCOM/MS-RPC. Thus, I think stateful inspection can be more thorough as compared to TCP\135?
There have been enough implementation problems in both Windows and Unix RPC programs over the years that the end-game isn't likely to decrease your risk all that significantly. Firewalls are boundary protection devices for different trust boundaries, allowing DCOM and RPC pretty much means any compromise at either end "wins." Also, portmapper just tells you where RPC services live, you still have to allow those services to get any value from them, and well, that's where the bugs have been...
Basically, I could allow the RPC service to pass through. Then only specific service that are tied to that port can get through? E.g., Allowing MS-RPC\135, then DC replication and authentication will able to go through. If I allow TCP\135, it mean any TCP traffic going through port 135 will be able to get through.
Regards, Norman Zhang _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RPC 135 Norman Zhang (Jun 01)