08-31-2012 02:02 AM - edited 03-11-2019 04:48 PM
Hello,
I am planning ASA DCERPC inspect implementation to allow communications between two domain controllers that use RPC EPM (endpoint mapper) traffic.
To ensure that the two endpoints (Dom Controllers) can trust the identity of each other, we want to implement IPSEC AH on the communication between the two nodes. IPSEC AH allows us to create a secure authentication mechanism while leaving the payload un-encrypted.
My questions:
*) has anyone experience with using DCERPC inspects?
*) has anyone experience with of knows if the DCERPC inspects are supported on IPSEC AH protected traffic?
Thanks,
Bas Kokken
09-01-2012 08:50 AM
Hi Bro
Personally, I have never done this before, but your requirement doesn’t seem all that complicated after all. Have you tried the sample config shown below?
!
policy-map type inspect dcerpc PMI_TEST
parameters
timeout pinhole 0:10:00
!
class-map CM_TEST
match access-list ACL_TEST
!
policy-map PM_TEST
class CM_TEST
inspect dcerpc PMI_TEST
!
service-policy PM_TEST interface outside
!
access-list ACL_TEST permit ah interface outside host 202.118.10.17
access-list ACL_TEST permit ah interface host 202.118.10.17 outside
!
Personally, I would rather use certificate (either from an internal CA server or purchased from a registered CA vendor) for authentication, if you really want to enforce the identity of the respective peers. Furthermore, based on what I know, ESP is much more secured than AH.
09-05-2012 05:44 AM
Hi Ramraj,
Thanks for your suggestions: I understand your remarks on the ESP and the added security. However in the setup it is not required and actually not wanted.
ESP will not give us insight in what is transmitted. ESP will encrypt the data therefore invalidating the ASA to inspect (and perform the pinholing). Also using ESP encryption the two endpoints would be allowed to route all data through the ASA without inspection.
We have a Microsoft AD domain controller on one side (less trusted) and a Micirosoft AD domain controller (trusted) on the other side of the ASA. What we try to perform is to open up the ASA for AD communications WITHOUT the necessary open high-ports for the RPC protocol.
That is where the DCERPC inspects come in handy.
To further secure data comms, IPSec AH would be useful: the endpoints can validate the identity of each other (mitigation of attempt to use IP spoofing or other tricks ).
At this moment I would like to know if there are people who tried this and have experience with this (inspect dcerpe with traffic using IPSEC AH) and if people have experience with standard inspect dcerpc.
Before I can test this, I would like to have some clue whether it has a chance to work. Testing is quite complex in our situation.
Thanks,
Bas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: