Currently my company is running a cisco pix firewall running v6.01 code. I was recently asked to tighten our current conduits as they have fallen by the wayside in the last year or so. A specific one that has been boggling me is a wide open conduit from the DMZ to an internal clustered SQL server running NT4 SP5. I'm not exactly sure how the whole clustered SQL stuff works but from what I can gather, the cluster has a bunch of IP addresses, each representing a different service. I set up a sniffer to track all the traffic on the dmz and I've found some interesting traffic between the webserver and the DTC address of the cluster. All of this traffic (about 2-3% on average) is labelled as MS/DCE (RPC 5.0) traffic and all of it flows to port 1116 on the DTC service. I can't find any information about port 1116 relating to microsoft stuff or DTS. I thought DCOM and stuff used variable ports but I'm not even sure if this stuff is valid. We do have other conduits open for web queries fromt the web server to the clustered SQL address, but I'm wondering I can lock this down to port 1116 without fear of it being dynamic. I took sniffer traces over 4 full days of traffic and didn't see anything other than this port to this service IP, but it's weird that this ip is in the reserved port range and being used by MS but it's not documented.
Any ideas? _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
