On Thu, 11 Feb 1999, Bernd Eckenfels wrote:
> On Wed, Feb 10, 1999 at 03:21:31PM -0500, cbrenton wrote:
> > assume you mean if access to port 135 is blocked? If so then yes, you need
> > to tickle port 135 to activate the dynamic ports.
>
> The question is why a professional product like fw1 does not support to
> restrict the functions which are passed through its rpc proxy. I think the
> specs are open enough to have a rpc-portmap proxy which only alows the
> lookup of the exchange ports (or return fixed values).
Actually version 4 of FW-1 does have support for Exchange and does
pretty much what you describe, it watches the RPC traffic to figure out
which upper port numbers will be used.
In fact, this support could also be created for any version of Firewall-1
using their Inspect script. Its just easier for most people to hack a few
registry keys rather than learn a propritary language. ;)
I think more to the point is why does Exchange (and NetMeeting and many
other MS networking products for that matter) insist on using DCOM when
it could work just as effectively using a couple of reserved port numbers.
That way you could still implement a security policy even if you are only
using static packet filters.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
