Re: Re: RPC 135

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 30 May 2005, Norman Zhang wrote:

Here we go...

> TCP\135 is allowed on the firewall. There are many DC's, NFS servers
> connected to the firewall, and need to access resources via TCP\135.

You do realize that once you start to allow any sort of RPC through your
firewall it starts to defeat the purpose of having one, don't you?

>  > Do you have any devices that are currently doing strong authentication
>  > now?  If so, describe how it is setup, and if you are able to use it
>  > for remote administration.  If you don't anything setup that you think
>  > is classified as strong authentication, are you planning on putting it
>  > in, and when?
>
> What do you mean strong authentication? I don't manage any of the DCs.
> I'm not sure what authentication they use. I'm not too concern of the
> authentication scheme that they use.

Then what's the point of having a firewall if you aren't managing
*RISK*?  Surely the whole point of a firewall administrator should be to
communicate the risk of allowing traffic, not to just be a hole puncher to
turn the plate of a firewall into a leaking sieve?

> I like to find out the technical details of converting TCP\135 to
> RPC\135. My understanding is TCP\135 or UDP\135 will allow anything that
> goes through 135, including blaster, ..., etc. Enforcing RPC\135 will
> enable me to lock down the protocol to what program the RPC uses. E.g.,
> 10000 for portmapper/rpcbind, and some DCOM/MS-RPC for legit MS
> applications, such as Exchange, W2K DC. I like to know how stateful
> inspection would work for such RPC apps. Could someone please expand on
> this?

There have been enough implementation problems in both Windows and Unix RPC
programs over the years that the end-game isn't likely to decrease your
risk all that significantly.  Firewalls are boundary protection devices
for different trust boundaries, allowing DCOM and RPC pretty much means
any compromise at either end "wins."

Also, portmapper just tells you where RPC services live, you still have to
allow those services to get any value from them, and well, that's where
the bugs have been...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards