Paul D. Robertson wrote:
> You do realize that once you start to allow any sort of RPC through your
> firewall it starts to defeat the purpose of having one, don't you?
I believe on the Checkpoint FW, the particular RPC is locked down to
program number and port mapper UUID for DCOM/MS-RPC. Thus, I think
stateful inspection can be more thorough as compared to TCP\135?
> There have been enough implementation problems in both Windows and Unix RPC
> programs over the years that the end-game isn't likely to decrease your
> risk all that significantly. Firewalls are boundary protection devices
> for different trust boundaries, allowing DCOM and RPC pretty much means
> any compromise at either end "wins."
>
> Also, portmapper just tells you where RPC services live, you still have to
> allow those services to get any value from them, and well, that's where
> the bugs have been...
Basically, I could allow the RPC service to pass through. Then only
specific service that are tied to that port can get through? E.g.,
Allowing MS-RPC\135, then DC replication and authentication will able to
go through. If I allow TCP\135, it mean any TCP traffic going through
port 135 will be able to get through.
Regards,
Norman Zhang
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jun 01 2005
Intro
