How effective is a firewall against RPC exploits?
Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: How effective is a firewall against RPC exploits?

  1. #1
    Junior Member
    Join Date
    Sep 2003
    Posts
    21

    Question How effective is a firewall against RPC exploits?

    How effective are firewalls against RPC exploits that use port 135? Specifically the vulnerabilities discussed in M$ security bulletins MS03-026 and MS03-039. I will patch the systems behind the firewalls at a later date (I usually allow some time to let Redmond work the bugs out and do a bunch of patches at the same time) and I want to know if I am safe or not. If I am safe I see no reason to take the risk of loading potentially problematic patches and billing out the clients for the time to load the patches and fix any issues they may cause. Thanks in advance for any help you can provide!

    PS- We are using ISA at some sites, Netopia routers with built-in firewalls at some sites, and Linksys routers at some of the smaller sites.

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    If the firewall is a hardware device, it's very effective. Software based firewalls running on windows could be exploited with OS specific attacks. Non of my unpatched PCs behind a hardware based firewall have been exploited.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I'm using Norton Firewall, and Linkys BEFSX41 Firewall router on my personal PC that is unpatched. So far, I have not been affected. My firewall is blocking all attemtpts to use the RPC_DCOM buffer.

    As long as you keep your ports like 135, 137 etc blocked you should be safe.
    =

  4. #4
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    Usually the software firewall is "before" the demaons or programms or whatever you call them if you (as a packet) come in from the internet. The firewall should drop the packet before it ever even comes close to the programm that is vulnerable.
    Double Dutch

  5. #5
    Junior Member
    Join Date
    Sep 2003
    Posts
    21
    Thanks everyone, figured as much but thought it would be best to get a second opinion.

  6. #6
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    They are effective at blocking it until someone on your trusted network brings in a infected computer (such as a laptop from home). Then if you are not patched, you will get infected.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  7. #7
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    The hardware vs software based argument is fun and all...but in the end the firewall is as effective as the person who is administrating it.

    I've been unaffected by the rpc problems with simple host firewalls such as tiny personal firewall.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  8. #8
    Junior Member
    Join Date
    Sep 2003
    Posts
    21
    That is not really an issue with most of our clients, we have a pretty tight lid on things coming in and going out. Our clients haven't really caught on to the whole laptop thing yet, I guess some are just technophobes. The only ones that use laptops don't connect them to the network, they just use them for internet access on the road and have their assistants email them documents that they need to work on.

  9. #9
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    The firewall will shield you from the external threat as long as its configured correctly but Id say you still need to always consider an internal threat.

    Employees bringing in laptops that have been infected are only one aspect to consider. If you do not patch your internal system then there are several exploits freely available so that any user may gain root on any other unpatched system on the subnet. Also in the case of no virus protection/or misconfigured virus protection, could lead to an employee receving a worm via email or some other way which could in turn corrupt the whole subnet.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  10. #10
    Senior Member
    Join Date
    May 2003
    Posts
    472
    lemme tell how how u will be protected by the use of the firewall.....
    1. by filtering/blocking the access to the port 135,137,445..u ensure the person is not able to sent the malformed data to ur PC to take the advantage of the hole, even if u are not patched.
    2. by blocking all the ports except for the ones u require u ensure if anyhow the person has effectively, ie by using web browser or by sending u the attachment, exploited the hole...he is not able to take the advantage by installing trojan etc...

    so firewall is a very effective solution but configure it properly

    nJoy
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •