Filtering DCE-RPC through firewall



Edouard Dumy
07-09-2005, 10:50 PM
Hi,

We currently design a certification service where the MS Certificate server
is protected by a Firewall under an DMZ and, for certificate renewal
purposes, we need to allow the clients to reach the Certificates Services
through the firewall (Firewall1 NG FP3).

On our firewall we already tried to to create a new DCE-RPC service for
MS-CertService(whith an interface UUID like :
91ae6020-9e3c-11cf-8d7c-00aa00c091be) but the associated rules (allowing the
use of this new service for external clients) seem to not work correctly
without any rejected records.

Does somebody know which kind of firewall rules, or specific MS CertServer
configuration, must be defined to allow this traffic under a stateful
firewall environment (Firewall1) without having to open all high TCP ports
between our server and clients ?

Thanks by advance,

Regards.

Karl Levinson, mvp
07-09-2005, 10:50 PM
"Edouard Dumy" <Edouard.Dummy@discussions.microsoft.com.> wrote in message
news:346EA96E-FD66-4E13-B59C-4D7CB0DEEED3@microsoft.com...

> We currently design a certification service where the MS Certificate
server
> is protected by a Firewall under an DMZ and, for certificate renewal
> purposes, we need to allow the clients to reach the Certificates Services
> through the firewall (Firewall1 NG FP3).

> Does somebody know which kind of firewall rules, or specific MS CertServer
> configuration, must be defined to allow this traffic under a stateful
> firewall environment (Firewall1) without having to open all high TCP ports
> between our server and clients ?

Getting FW-1 to inspect RPC connections and handle them statefully [if it
can do so] is one solution. We can't help you with that here, since this
isn't a Checkpoint support group. If it's possible, you could google this,
or perhaps try checking the Phoneboy FW-1 FAQ and support mailing lists.

http://www.google.com/search?hl=en&q=checkpoint+firewall-1+rpc

OR

http://www.phoneboy.com/bin/view.pl/FAQs/HowDoesFireWall1SupportRPC
http://www.phoneboy.com/bin/view.pl/FAQs/EditingObjectsDotC
http://www.phoneboy.com/bin/view.pl/FAQs/WebHome [FAQ home page]
"FireWall-1 supports RPC by monitoring the client RPC request to the
portmapper. Then the portmapper replies with the port number. FireWall-1
temporarily opens up that port number for the connection from the client to
the server. Once the connection is over, FireWall-1 will close up the port.

4.0 and later firewalls, modify $FWDIR/conf/objects.C on the management
console so the property enable_tcprpc is true."

This suggests to me that you should just add the "dce-rpc" object that came
with FW-1 to a rule instead of making your own, although you may have to
edit objects.C for TCP RPC to be supported. This makes sense to me, since
if you use the ftp object that came with FW-1, it will correctly monitor FTP
and dynamically open new temporary ports as necessary, but if you try to
create your own, it won't work.


Here is the other possible solution, configuring the windows server to limit
what RPC ports are used:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154596
http://msdn.microsoft.com/library/en-us/rpc/rpc/configuring_the_windows_xp_2000_nt_registry_for_port_allocations_and_selective_binding.asp

As the first article states, use the RPCCFG tool to do this on Windows 2003,
from the site below:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/rpccfg-o.asp

--
regards,

Karl Levinson, MS MVP, CISSP
Microsoft Security FAQ:
http://securityadmin.info

Edouard Dumy
07-09-2005, 10:51 PM
Hi Karl,

Realy thank for your complete answere.

we did not have identified indeed the point regarding the modification of
the file "objec.c" to support the RPC protocol over TCP under checkpoint
firewall1 environment. We cannot curently test this modification but I'll
post a notice after check if that solves the problem.

Regards.
--


Filtering DCE-RPC through firewall