DCERPC Inspection
DCERPC inspection is not enabled in the default inspection policy, so you must enable it if you need this inspection. You can simply edit the default global inspection policy to add DCERPC inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
The following sections describe the DCERPC inspection engine.
DCERPC Overview
Microsoft Remote Procedure Call (MSRPC), based on DCERPC, is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.
The DCERPC inspection engine inspects for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have configurable timeouts.
DCE inspection supports the following universally unique identifiers (UUIDs) and messages:
-
End point mapper (EPM) UUID. All EPM messages are supported.
-
ISystemMapper UUID (non-EPM). Supported messages are:
-
RemoteCreateInstance opnum4
-
RemoteGetClassObject opnum3
-
-
OxidResolver UUID (non-EPM). Supported message is:
-
ServerAlive2 opnum5
-
-
Any message that does not contain an IP address or port information because these messages do not require inspection.
Configure a DCERPC Inspection Policy Map
To specify additional DCERPC inspection parameters, create a DCERPC inspection policy map. You can then apply the inspection policy map when you enable DCERPC inspection.
When defining traffic matching criteria, you can either create a class map or include the match statements directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that you can reuse class maps.
Procedure
Step 1 |
(Optional) Create a DCERPC inspection class map. For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map. If you want to perform different actions for each match command, you should identify the traffic directly in the policy map. |
Step 2 |
Create a DCERPC inspection policy map: policy-map type inspect dcerpc policy_map_name Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. |
Step 3 |
(Optional) Add a description to the policy map: description string |
Step 4 |
To apply actions to matching traffic, perform the following steps. |
Step 5 |
To configure parameters that affect the inspection engine, perform the following steps: |
Examples
The following example shows how to define a DCERPC inspection policy map with the timeout configured for DCERPC pinholes.
hostname(config)# policy-map type inspect dcerpc dcerpc_map
hostname(config-pmap)# timeout pinhole 0:10:00
hostname(config)# class-map dcerpc
hostname(config-cmap)# match port tcp eq 135
hostname(config)# policy-map global-policy
hostname(config-pmap)# class dcerpc
hostname(config-pmap-c)# inspect dcerpc dcerpc-map
hostname(config)# service-policy global-policy global
What to do next
You can now configure an inspection policy to use the map. See Configure Application Layer Protocol Inspection.