Securing RPC Traffic Between Network Segments
As outlined, the problem of RPC traffic is most evident between internal network segments. An infected or compromised client in an environment can destroy critical infrastructure through the use of RPC exploits. On the other hand, locking down all RPC port access between network segments severely cripples needed network functionality and makes troubleshooting extremely difficult. Scanning RPC traffic and allowing only acceptable RPC queries is therefore necessary.
Outlining How ISA RPC Filtering Works
ISA Server 2004 secures RPC access through the use of RPC server publishing rules, which scan the RPC traffic for specific universally unique identifiers (UUIDs) and allows only those UUIDs that are associated with that particular service. For example, Figure 15.1 shows some of the UUIDs (referred to as interfaces) that are utilized to allow Exchange MAPI traffic, which utilizes RPC.
Figure 15.1. Examining MAPI UUIDs used in an RPC server publishing rule.
Deploying ISA for RPC Filtering
Of course, aside from reverse proxy of web-related (HTTP, HTTPS) traffic, ISA Server can use server publishing rules, including RPC rules, only if the traffic sent between client and server flows through ISA server. This requires ISA server to have multiple network interfaces, and for the client traffic to be routed through it, either because ISA is the default gateway or because the routing traffic is configured to flow through ISA. Through these types of deployment configurations, as shown in Figure 15.2, ISA Server RPC filtering can greatly limit the risk of RPC-based attacks.
Figure 15.2. Using ISA Server to secure network segments.
[View full size image]
Figure 15.3. Using ISA Server to secure Exchange server network segments.
[View full size image]