Encrypted RPC and firewalling
hi all I would like to know how you guys handle encypted rpc across firewalls. We utilize an ASA platform and the DCERPC inspection cant handle encrypted RPC (which is standard in most windows 2008 and default in all communication in exchange 2010). Ciscos says: disable encryption or create "allow any" rules. Do you limit the RPC port range on the windows systems and make "holes" in the firewall for these or do you disable RPC encryption ? Please share your knowledge in this area. Best regards Lasse Birnbaum Jensen Network administrator, IT-Service University of Southern Denmark Email: lasse@sdu.dk
On Thu, 10 Nov 2011 09:56:51 +0100, Lasse Birnbaum Jensen said:
I would like to know how you guys handle encypted rpc across firewalls.
You can always just set the firewall to ban RPC in general, whether or not it's encrypted (while you're there, close off ports 137-139 and other chucklehead stuff like that), and just make the user who's outside the firewall VPN in. That's a nice, simple, well-understood configuration that almost all software and even most users can handle. (We don't actually do a big monolithic firewall box - but pretty much everything has an iptables ruleset loaded that says "if your source IP isn't inside our 2 /16s, your packets go bye bye". And there's a nice PPTP-based VPN solution in place that even a humanities professor emeritus can use ;)
Also, Most enterprises that support Exchange remote access use RPC over HTTPS which is encrypted and easy to allow on the firewall. ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Thursday, November 10, 2011 7:51 AM To: Lasse Birnbaum Jensen Cc: nanog@nanog.org Subject: Re: Encrypted RPC and firewalling
On Thu, 10 Nov 2011 09:56:51 +0100, Lasse Birnbaum Jensen said:
I would like to know how you guys handle encypted rpc across firewalls.
You can always just set the firewall to ban RPC in general, whether or not it's encrypted (while you're there, close off ports 137-139 and other chucklehead stuff like that), and just make the user who's outside the firewall VPN in. That's a nice, simple, well-understood configuration that almost all software and even most users can handle.
(We don't actually do a big monolithic firewall box - but pretty much everything has an iptables ruleset loaded that says "if your source IP isn't inside our 2 /16s, your packets go bye bye". And there's a nice PPTP-based VPN solution in place that even a humanities professor emeritus can use ;)
participants (3)
-
Lasse Birnbaum Jensen
-
Matthew Huff
-
Valdis.Kletnieks@vt.edu