September 15th, 2003, 05:55 PM
How effective is a firewall against RPC exploits?
How effective are firewalls against RPC exploits that use port 135? Specifically the vulnerabilities discussed in M$ security bulletins MS03-026 and MS03-039. I will patch the systems behind the firewalls at a later date (I usually allow some time to let Redmond work the bugs out and do a bunch of patches at the same time) and I want to know if I am safe or not. If I am safe I see no reason to take the risk of loading potentially problematic patches and billing out the clients for the time to load the patches and fix any issues they may cause. Thanks in advance for any help you can provide!
PS- We are using ISA at some sites, Netopia routers with built-in firewalls at some sites, and Linksys routers at some of the smaller sites.
September 15th, 2003, 06:01 PM
If the firewall is a hardware device, it's very effective. Software based firewalls running on windows could be exploited with OS specific attacks. Non of my unpatched PCs behind a hardware based firewall have been exploited.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
September 15th, 2003, 06:01 PM
I'm using Norton Firewall, and Linkys BEFSX41 Firewall router on my personal PC that is unpatched. So far, I have not been affected. My firewall is blocking all attemtpts to use the RPC_DCOM buffer.
As long as you keep your ports like 135, 137 etc blocked you should be safe.
September 15th, 2003, 06:05 PM
Usually the software firewall is "before" the demaons or programms or whatever you call them if you (as a packet) come in from the internet. The firewall should drop the packet before it ever even comes close to the programm that is vulnerable.
September 15th, 2003, 06:30 PM
Thanks everyone, figured as much but thought it would be best to get a second opinion.
September 15th, 2003, 06:31 PM
They are effective at blocking it until someone on your trusted network brings in a infected computer (such as a laptop from home). Then if you are not patched, you will get infected.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
September 15th, 2003, 06:35 PM
The hardware vs software based argument is fun and all...but in the end the firewall is as effective as the person who is administrating it.
I've been unaffected by the rpc problems with simple host firewalls such as tiny personal firewall.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
September 15th, 2003, 06:38 PM
That is not really an issue with most of our clients, we have a pretty tight lid on things coming in and going out. Our clients haven't really caught on to the whole laptop thing yet, I guess some are just technophobes. The only ones that use laptops don't connect them to the network, they just use them for internet access on the road and have their assistants email them documents that they need to work on.
September 15th, 2003, 07:16 PM
The firewall will shield you from the external threat as long as its configured correctly but Id say you still need to always consider an internal threat.
Employees bringing in laptops that have been infected are only one aspect to consider. If you do not patch your internal system then there are several exploits freely available so that any user may gain root on any other unpatched system on the subnet. Also in the case of no virus protection/or misconfigured virus protection, could lead to an employee receving a worm via email or some other way which could in turn corrupt the whole subnet.
That which does not kill me makes me stronger -- Friedrich Nietzche
September 15th, 2003, 07:26 PM
lemme tell how how u will be protected by the use of the firewall.....
1. by filtering/blocking the access to the port 135,137,445..u ensure the person is not able to sent the malformed data to ur PC to take the advantage of the hole, even if u are not patched.
2. by blocking all the ports except for the ones u require u ensure if anyhow the person has effectively, ie by using web browser or by sending u the attachment, exploited the hole...he is not able to take the advantage by installing trojan etc...
so firewall is a very effective solution but configure it properly
guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;