David is ok...You can look at it as a very big door opened.
But, as for RPC or any door opened on a firewall,
an appropriate security control can make it "reasonable".
By "appropriate" you mean a complete understanding
of the way that DCOM is implemented on the firewall :
this will surely go through the security policy
explicitely implemented for DCOM by the "firewall
provider", through the way you use this, through
what is "trusted stuff" in the environment where
you are, through the access control to those services,
through the environment relative exposure (DMZ or not),
through the interactions with the other "opened doors"
on your firewall and on your net, etc...
I do not see DCOM as a "communication protocol" but
as a distributed architecture (something like a
"Microsoft philosophy's framed network organisation"...
ok...I admit that I am a CORBA fan but I think
I have good reasons for that...this is another story...)
Your firewall will not stop people doing DCOM
between its interfaces on any communication channel
you open. I imagine that what you want is to implement
some "DCOM compliant objects or services" directly on
your firewall and this will be just as implementing
any service on a firewall : you must look to the
interaction of that with your "firewall software
and hardware". It must at least respect all the security
policies you established.
If what you want is to put on your firewall some
DCOM "service or object" that open the communication
of objects on the different interfaces in a kind
of "high level exchange" between objects,
your "service or object" must include
"forced security control at the same high level"
which generally mean "authentification, signatures,
cryptography" and probably some form of control
that restrict the nature of transactions and
the transfer of "executable stuff". You are
working with a kind of "high level firewall"
which can usually be done if designed
starting with a "completely closed approach"
with highly controlled deterministic openings
(only and exactly the stuff that is explicitely
allowed can go through the barrier, it can only
trigger explicit-predicable-tested actions, and you
have complete control to close this barrier).
If what you want is to open a DCOM service
with its default values without completely
controlling it : forget that. It is just
like transforming your firewall in an house
with highly shielded doors in front and
all opened doors on the side and on the back
and publishing on the first page of the press
that there is a party in the shielded house
and that everybody can get in by the doors
not in the front...
Wish this can help...
---
Charles
On Thu, 25 Feb 1999, David Gillett wrote:
> Date: Thu, 25 Feb 1999 17:30:39 -0800
> From: David Gillett <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Cc: "Moscoe, Corey" <[EMAIL PROTECTED]>
> Subject: Re: DCOM Vulnerability
>
> On 25 Feb 99, at 17:44, Moscoe, Corey wrote:
>
> > Does anyone know what are the consequences/risks of having DCOM
> > enabled in an Internet Firewall. I know that ISS identifies that as
> > a vulnerability, but I do not truly understand how this vulnerability
> > could be exploited or are there other controls that I could implement
> > which would mitigate this risk. Unfortunately, I am not very
> > technical so any laymen terms would be appreciated. Thank you.
>
> DCOM is (Distributed) Component Object Model. Think of it as an
> object-oriented cousin to RPC.
> Like RPC, it can be useful for building networked applications.
> Like RPC, it can be dangerous if an outsider knows your machine has a
> common component installed whose functions include, say, delete file,
> transmit file, modify configuration, or other useful/dangerous
> operations.
> I don't think theres anyone in the world who knows what every third-
> party DCOM module installed on their PC is capable of.
>
>
> David G
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
