Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RPC over HTTP security

from [Depp, Dennis M.] Network Security [Permanent Link]
Subject: RE: RPC over HTTP security
Date: Mon, 31 Jan 2005 11:13:54 -0500 
1)  RPC over HTTPS also provides authentication and encryption.
2)  This funcionality is not in RPC over HTTPS.  :(  I wonder how many
VPNs are actually using this capability.  Also how many VPN vendors
provide this capability.
3)  RPC over HTTPS can be setup to access only one resource I.e.
Exchange.
4)  If you are running OWA, you are not exposing any additional
interfaces to the public.  

The ability to reject connections based on Antivirus settings is a
vailid reason for not using RPC over HTTPS.  Your other three reasons
show unfamiliarity of the technology and how to configure it.
Unfamiliarity of a technology is a valid reason not to implement it.
Other valid reasons not wanting to implement a "redundant" technology.
i.e. If VPN works, why setup RPC over HTTPS with all the costs
associated with it?  There are reasons for avoiding RPC over HTTPS.
Major security problems with the protocol are not one of them.

Dennis 

-----Original Message-----
From: Shawn Wall [mailto:sjwall@shaw.ca] 
Sent: Monday, January 31, 2005 10:52 AM
To: Depp, Dennis M.; 'Ansgar -59cobalt- Wiechers';
security-basics@securityfocus.com
Subject: RE: RPC over HTTP security

To clarify, I'm not saying it is 'better' or more secure just that I
prefer
a VPN for the following reasons:

1. VPN provides authentication and encryption.
2. VPN access can be configured to reject clients if antivirus is not
installed/updated.
3. Granular access to network resources, i.e. access lists can be used
to
'contain' remote users.
4. Reduced exposure of network resources to the public, i.e the VPN is
usually terminated on the firewall and once authenticated, secure comms
with
specified internal resources is permitted.

In a way some of these features does make a VPN more secure from a
control
aspect.

shawn

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov] 
Sent: Saturday, January 29, 2005 9:16 AM
To: Shawn Wall; Ansgar -59cobalt- Wiechers;
security-basics@securityfocus.com
Subject: RE: RPC over HTTP security

Why is this better than RPC over HTTP?  I also have VPN setup.  However,
being able to access Outlook without having to fireup a VPN is very
nice.
Particularly if I want to quickly download my mail before going on a
trip or
attending a meeting.

Why do you feel VPN is more secure than RPC over HTTP?

Dennis 

-----Original Message-----
From: Shawn Wall [mailto:sjwall@shaw.ca]
Sent: Friday, January 28, 2005 4:12 PM
To: Depp, Dennis M.; 'Ansgar -59cobalt- Wiechers';
security-basics@securityfocus.com
Subject: RE: RPC over HTTP security

I think your best option is to use a VPN to allow your mobile users
access
to email if they require the functionality of Outlook vs OWA.
I've deployed this configuration using a PIX and Cisco VPN client. Works
very well.

shawn 

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
Sent: Friday, January 28, 2005 6:19 AM
To: Ansgar -59cobalt- Wiechers; security-basics@securityfocus.com
Subject: RE: RPC over HTTP security

Ansgar,

Answers to your questions.

1)  Because the functionality of RPC over HTTP(S) is a great benefit to
mobile users.
2)  It doesn't.  However, by "bloating" the protocol so it will work
over
HTTP, I have also "bloated" the protocol to allow it to work over HTTPS.
This allows me to secure the traffic.

Lets now look at RPC.  What are the major vulnerabilities of RPC?  RPC
does
not authenticate prior to allowing the connection to proceed.  Many of
the
RPC vulnerabilities would be neutered if RPC was force to authenticate
prior
to making the connection.  RPC over HTTP solves this problem by forcing
authentication.  When I add HTTPS to this senario, I have secured my
credentials while they are in an untrusted environment and provided
authentication prior to allowing RPC to proceed.  The RPC traffic is
also
passed through the SSL tunnel providing end-to-end security.

Dennis

-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
Sent: Wednesday, January 26, 2005 8:22 PM
To: security-basics@securityfocus.com
Subject: Re: RPC over HTTP security

On 2005-01-26 sf_mail_sbm@yahoo.com wrote:

We are thinking about deploying RPC over HTTP to access email from the



Internet


Ask yourself two questions:

1. Why does nobody in his right mind do RPC over untrusted networks?
2. How does bloating a protocol by encapsulating it in plain-text make
   it any better?

Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety deserve
neither liberty nor safety, and will lose both."
--Benjamin Franklin
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Some Few Doubts on IIS Vuln, kaps lock
Next by Date:  RE: Spyware blocking with HOSTS file on DNS server, Johnson, Joey
Previous by Thread:  RE: RPC over HTTP security, Paris E. Stone
Next by Thread:  Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?, John Doe
Indexes:  [Date] [Thread] [Top] [All Lists]