cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Proper Definition & Use of "ALL_DCE_RPC"

I was reading through this thread discussing pros/cons of using "ALL_DCE_RPC" in a Firewall Policy:

What is Check Point's solution for RPC traffic on Internal firewall? 

I'll admit, I've been using Check Point for a while and I was wholly unfamiliar with ALL_DCE_RPC and what it did. Would someone be able to offer a quick crash course explanation of what this service is and what it should / shouldn't be used for? Presently, I have large ranges of TCP and UDP ports created to possibly accomplish the same thing. This sounds like a more secure option, but would love to learn a bit more about it before considering changing things.

Thanks!

Dan

6 Replies

Re: Proper Definition & Use of "ALL_DCE_RPC"

tldr it's a resource that detect and allow windows wmi traffic from different sources , usually wmi traffic is initiated over port tcp135 and then the two host negotiated tcp high range port for message and such , this prevent to set up tcp-high ports in the firewall rules , in my experience this resource works very well and we don't have to troubleshoot such kind of comms

0 Kudos

Re: Proper Definition & Use of "ALL_DCE_RPC"

Sounds about right, however use of DCE/RPC services in a Network Access Policy layer (firewall policy) is one of the very few things left that can halt SecureXL templating (Session Rate Acceleration) of a rulebase on R80.10 gateway as shown by fwaccel stat.  So if using these types of services, try to put them as far down in the policy as possible.  Column-based matching does make SecureXL templating a bit less important for policy optimization on R80.10 gateway though.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Proper Definition & Use of "ALL_DCE_RPC"

1) if you start using ALL_DCE_RPC than verify that you do not have a TCP service on port 135 it can get you troubles on this ALG mechanism

2) those service DCE_RPC dot not apply to "ANY" traffic meaning you must put this service inside the rule you want to use for example traffic from Clients to the Domain Controllers

3) if you have traffic on port 135 which is not DCE_RPC there is an SK that you can enable non DCE_RPC traffic on this DCE_RPC service (so you wont configure a tcp service on port 135

4) from security concerns DCE_RPC connections is the right way to open this traffic

some things on RPC it uses as discussed tcp port 135 for the "Control data" for example it want to access some resource on the remote computer. than the remote computer returns the client the port to connect to acess this resource.

you can also vie GPO / Registry keys can harden the range that the Remote computer will use to avoid opening all high ports if you dont use RPC

Re: Proper Definition & Use of "ALL_DCE_RPC"

Thanks for all this info... definitely very helpful! So, is this just for WMI? Or can this basically be used for any RDP traffic? 

Also, @Dor Marcovitch, Do you know the sk article you referenced in comment #3 above?

Thank You!

0 Kudos

Re: Proper Definition & Use of "ALL_DCE_RPC"

0 Kudos

Re: Proper Definition & Use of "ALL_DCE_RPC"

Maybe still helpful... this is the SK: sk65676