This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Taney
Advisor
‎2017-12-11 01:32 PM

Proper Definition & Use of "ALL_DCE_RPC"

I was reading through this thread discussing pros/cons of using "ALL_DCE_RPC" in a Firewall Policy:

What is Check Point's solution for RPC traffic on Internal firewall? 

I'll admit, I've been using Check Point for a while and I was wholly unfamiliar with ALL_DCE_RPC and what it did. Would someone be able to offer a quick crash course explanation of what this service is and what it should / shouldn't be used for? Presently, I have large ranges of TCP and UDP ports created to possibly accomplish the same thing. This sounds like a more secure option, but would love to learn a bit more about it before considering changing things.

Thanks!

Dan

R80 CCSA / CCSE
6 Replies
Marco_Valenti
Advisor
‎2017-12-12 01:16 AM

tldr it's a resource that detect and allow windows wmi traffic from different sources , usually wmi traffic is initiated over port tcp135 and then the two host negotiated tcp high range port for message and such , this prevent to set up tcp-high ports in the firewall rules , in my experience this resource works very well and we don't have to troubleshoot such kind of comms

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-12-12 05:01 AM
In response to Marco_Valenti

Sounds about right, however use of DCE/RPC services in a Network Access Policy layer (firewall policy) is one of the very few things left that can halt SecureXL templating (Session Rate Acceleration) of a rulebase on R80.10 gateway as shown by fwaccel stat.  So if using these types of services, try to put them as far down in the policy as possible.  Column-based matching does make SecureXL templating a bit less important for policy optimization on R80.10 gateway though.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Dor_Marcovitch
Advisor
‎2017-12-12 05:47 AM

1) if you start using ALL_DCE_RPC than verify that you do not have a TCP service on port 135 it can get you troubles on this ALG mechanism

2) those service DCE_RPC dot not apply to "ANY" traffic meaning you must put this service inside the rule you want to use for example traffic from Clients to the Domain Controllers

3) if you have traffic on port 135 which is not DCE_RPC there is an SK that you can enable non DCE_RPC traffic on this DCE_RPC service (so you wont configure a tcp service on port 135

4) from security concerns DCE_RPC connections is the right way to open this traffic

some things on RPC it uses as discussed tcp port 135 for the "Control data" for example it want to access some resource on the remote computer. than the remote computer returns the client the port to connect to acess this resource.

you can also vie GPO / Registry keys can harden the range that the Remote computer will use to avoid opening all high ports if you dont use RPC

Daniel_Taney
Advisor
‎2017-12-15 11:42 AM
In response to Dor_Marcovitch

Thanks for all this info... definitely very helpful! So, is this just for WMI? Or can this basically be used for any RDP traffic? 

Also, @Dor Marcovitch, Do you know the sk article you referenced in comment #3 above?

Thank You!

R80 CCSA / CCSE
0 Kudos
startoff
Participant
‎2018-04-20 01:24 AM
In response to Daniel_Taney

Maybe still helpful... this is the SK: sk65676

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events