Firewall Wizards mailing list archives
RE: Details on Sidewinder RPC proxy support?
From: "Lee (Lockdown) Hughes" <lee () polestar co uk>
Date: Wed, 25 Aug 1999 11:37:55 +0100
I'm new to this list, but I'd advise your client not to map client or server rpc request through there filewall. You asking for trouble, if you can push them down either a Ipsec vpn route, or some of IP tunneling system, then do it. RPC is a very complex procedure, and has many holes actaully within the layer 7 part of it, buffer overflows, no parameter checking, possible one of the most unhacked and unknown area's on the machine! Hackers like virgin. You may be able to use the sun security system to deny socket connections via the source IP address, but again you can just walk through that will a bit of IP spoofing on the attackers side. Again, I don't think your client understands the nature of the internet, the application should be written with the public internet in mind. That's the main difference between an intranet/internet web application, you can do lot's of 'clever stuff' as my developers call it on the intranet, but go public you have to rethink ALOT of things. With re-coding there apps to use common and easily controlled protcols such a http, then there not much else I can say. Okay, you can get very expensive and sophisticated firewall solutions, but keeping this secure will be a major problem. Without knowning what the application does, it's hard to say if using rpc is justified!!!!. Cheers, Lee -----Original Message----- From: Chris Shenton [mailto:cshenton () uucom com] Sent: 24 August 1999 19:53 To: Firewall-Wizards@Nfr. Net Subject: Details on Sidewinder RPC proxy support? I have a client who is plans to run RPC across their firewall and believes that SideWinder's recently added RPC proxy may solve all their problems. Worse, they want to run CORBA in the future, across the firewall, through the "extranets", across the wan, over the river and through the woods for all I can tell. I've not been terribly keen to architect systems this way and would prefer they put the two machines which (currently) need to speak RPC on the inside of the firewall. (It's just a app server talking to a database, after all!). I think you'd have to have a fairly sophisticated RPC proxy to track portmapper requests/responses. Further, if you wanted to keep out hostile traffic rather than simply act like a stateful packet filter, you'd have to get into the application layer and examine for hostile requests. I've read the SideWinder Tech Brief document at http://www.sctc.com/SW41TechBrief.zip where it says: The Sun RPC proxy mediates requests from an RPC client to a server's portmapper process. The Sun ONC RPC format is supported. This feature will allow client/server applications to communicate securely through the firewall. I need to know how much detail the firewall examines, how fine grained I can tighten down the RPC proxy on Sidewinder. * can I retrict certain from/to hosts and ports? * can I restrict to specific portmapper service numbers? * can I permit/deny certain RPC commands Any other thoughts on how to improve security here if they won't let me re-architect? Thanks for your help.
Current thread:
- Details on Sidewinder RPC proxy support? Chris Shenton (Aug 24)
- <Possible follow-ups>
- RE: Details on Sidewinder RPC proxy support? Lee (Lockdown) Hughes (Aug 25)
- Re: Details on Sidewinder RPC proxy support? Ivan Arce (Aug 30)