[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] HP Openview DCE RPC Security Concerns
A breakin to a DMZ machine can be quite serious.... as this can be used to compromise other DMZ servers plus internal machines too. What can you do about it... Again, the connection direction you say is bidirectional...which is rather bad.. Your wise not to let unathenticed RCP/DCE through to your internal network from the dmz..., it's full of security holes, it's a complex network protocol...find people who know how to use it is difficult, find those who know how to secure it is even more so.... :-). Have a look a HP firehunter, it's can use basic HTTP and ICMP traffic for monitoring rather than full on rcp/dce stuff, it's designed for ISP's so has a bit of security build in too....remember...right tool right job. Again, the firewall has no 'knowlage' of the the RPC is acutaully doing, this security blindness is a feature.. ;-) ...it's all layer 7 stuff... :-). Maybe an rpc proxy might help, but they can cause trouble themself.. The solutions I'd go for is to setup another monitoring station for dmz or extranet machines, within the dmz, or a a vlan within the dmz.....thus if you dmz is compromises, they could break into the monitoring station, which as a rule only monitors and has data on dmz machines.. Again, for hacker to gain access to your monitoring station, it's a whole honeypot full of vital information, I'd target this first if I was hacking your network. :-). Again, locking down security is the dmz is vital, and think about running some IDS tools on there too... :-)... If you have a breakin, you may not prevent it, but it's a good idea for an alarm to ring, so you can at least have a look at it. (lets hope your not on holiday when it happens). DMZ security is very important, you should be able to hear a pin drop in this zone, and for you to know about it. Firewall's do some of the job, but don't be fooled into a false sense of security with them. let me know how you get on. Cheers, Lee 'are the words...'Security Consultant' and 'Mafia Extortion' interchangble?' -----Original Message----- From: Jon R. Allen [mailto:[email protected]] Sent: 05 October 2000 22:03 To: [email protected] Subject: [FW1] HP Openview DCE RPC Security Concerns My customer manages their internal machines using HP Openview. With this configuration, a piece of client software is installed on the target machine and Openview talks to it using DCE/RPC. Currently we have quite a few servers deployed on a DMZ and the customer would like to 'monitor' them using the same Openview setup. This involves openening up a number of DCE/RPC ports bidirectionally from the inside to the DMZ and back. I am concerned that if the server in the DMZ gets hacked, someone could then exploit an RPC bug, gain access to the internal Openview machine and then have a free run of the internal network. Is this a valid concern for denying the use of Openview DCE/RPC? Is there a better way to allow the broad functionality of the Openview client, but have it restricted to using some 'simpler and safer' protocol? Obviously it would be nice to monitor the DMZ machines with the Openview client since it reports on all sorts of statistics and watches 'services' as opposed to ping or snmp which give back less information and basically only tell if the machine is up or down. Other people must monitor the resources of their critical machines in the DMZ somehow safely.... -Jon ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|