Re: [fw-wiz] A fun smackdown...
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 05/20/05
- Previous message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Reply: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Fri, 20 May 2005 04:17:11 +0530
On 19/05/05 17:32 -0400, Paul D. Robertson wrote:
<snip>
> >
> > I used Cisco's proxying of SMTP as a well-known example of a "security
> > feature" which breaks legitimate protocol extensions (ESMTP), yet
>
> That's the point; You stop things (I don't think it really "breaks it,"
> since it should default to HELO instead of EHLO- so "doesn't allow
Yes it does. Minimally, it breaks the requirement that the server
advertise its fully qualified hostname to the remote SMTP client in the
greeting.
> increased functionality" is probably more accurate.) Heck, I try not to
The increased functionality enhances security by allowing for
1> SMTP AUTH
2> TLS
3> being able to reject before 'data' based on size as offered by the client.
(otherwise you have to accept all the data and that can lead to a DoS).
4> Catching broken spamware and proxies which spew out SMTP protocol
stuff before responses without offering EHLO and explicitly being
offered pipelining.
> run browsers that do ActiveX when I run a browser on a Microsoft OS,
> that's reduced functionality too- but I'm willing to accept it because it
> reduces my risk.
>
> Guards with guns stop the free flow of people, and reduce the
> functionality of a place- but they also reduce the risk if they're doing
> their jobs- and many places are happy to deploy them.
>
> > doesn't seem to really improve security, but if you aren't very
> > familiar with it, I won't insist on debating this particular example.
> > :-)
>
> Does it stop the MS-only extensions? In that case it does provide some
> security value- unless you feel that overflows in SMTP verbs aren't that
> big a security deal...
But those could be stopped by a ESMTP speaking defensive proxy as well.
Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Reply: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
