Firewall Wizards mailing list archives
RE: MS DCOM & Tunneling TCP/IP
From: "Phil Cox" <Phil.Cox () SystemExperts com>
Date: Thu, 11 Nov 1999 17:03:08 -0800
"firewall-friendly" suite by default. However, it's developers realized the need to implement features which would allow DCOM to be used in a more "secure" manner. I describe two of the possibilities below.
This is a VERY loose definition of "secure" in my book...
My question is this -- what pros and cons can be made for each method of accepting DCOM through a firewall? I'm more interested the security
Depends on how much you don't want your internal system compromised...
B) Tunneling DCOM over another port, such as TCP 80 (HTTP). IMHO - with this method I feel like you wouldn't be able to tell much from logs, other than a bunch of HTTP traffic is passing through the firewall.
<climb up on soap box> This should NEVER be allowed as far as I am concerned. This is the epitome of port misuse in my book. I expect Web protocols to go over this port, and NOT RPC. THIS IS NOT HTTP traffic, it is RPC traffic, just over port 80, so your logs won't show squat. It infuriates me to know that people will go so far as to say, well if they won't let it through the ports I want, then I'll just run it over a port they have to let through". This TCP/IP Tunneling is (or at least should be) a main selling point for Proxies over filters, so vendors cannot purposefully violate your security policy!!!!! <step down> Needless to say, I am strongly against generic DCOM in any form traversing the DMZ. Too many "cool features" + too many junior coders = Internal net compromise. It is not worth it. Phil
Current thread:
- MS DCOM & Tunneling TCP/IP Coleman,Clayton L. (Nov 10)
- Re: MS DCOM & Tunneling TCP/IP Joseph S D Yao (Nov 10)
- RE: MS DCOM & Tunneling TCP/IP Phil Cox (Nov 14)