RE: suggestions on a good firewall

From: chort (chort_at_amaunetsgothique.com)
Date: 06/24/03

  • Next message: David Gillett: "RE: Wirless LAN" 
    Date: Mon, 23 Jun 2003 21:13:48 -0700 (PDT)
To: Ivan Coric <ivan.coric@workcoverqld.com.au>

    On Mon, 23 Jun 2003, Ivan Coric wrote:

    > Lets take the SMTP protocol for example, fixup SMTP enables the mail
    > guard feature which only lets mail servers receive the RFC 821 commands
    > of HELO, MAIL, RCPT, DATA, RSET, NOOP and QUIT. All other commends are
    > rejected.
    >
    > If you want to do a similar thing in CheckPoint you will need to
    > provide the INSPECT code to do it.
    >
    > I can netcat through my CheckPoint FW to my mail servers, web servers
    > etc. Even do a HEAD request to get a banner of the web server and the CP
    > FW does it happily.
    >
    > cheers
    > Ivan
    >
    >
    > >>> Willi Web <Willi.Web@mail4web.de> 06/20/03 10:25pm >>>
    > The FIXUP protocol is there to correct irregular behavior in normal
    > protocols. For example, the FTP Fixup allows traffic in on port 20
    > when
    > the traffic originated on 21. The SMTP fixup disallows certain SMTP
    > commands that could be used for nefarious purposes. The PIX cannot
    > shun
    > traffic based on what the FIXUP protocols detect. There is no dynamic
    > ACL creation possible.
    >
    > The PIX is not a true application level firewall. I can send NETCAT
    > traffic over HTTP and the PIX will never know. Whereas the Checkpoints
    > and Raptors can detect anomalies in traffic, and act on them.
    >
    > --Chris
    >
    >

    Sorry for jumping in the middle of a thread here, but I wanted to
    mention what a pain FIXUP SMTP/Mailguard is. It breaks ESMTP and causes
    nice things like STARTTLS to not work :( If you have a hardend mail
    gateway, you should NO FIXUP SMTP and enable TLS, strong authentication,
    etc. Of course, if you are NAT'ing port 25 directly into Exchange, that
    might be slightly less wise. 

    -- 
-chort
AKA Brian Keefer
The thoughts I express are generally piped from /dev/random,
needless to say they do not represent my fine employer:
CipherTrust, Inc - www.ciphertrust.com
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
  • Next message: David Gillett: "RE: Wirless LAN"

    Relevant Pages

    • Re: User Auditing
      ... We have servers in our environment by which multiple people ... can issue commands as either themselves or as root. ... And the pam bit that logs keystrokes to auditd does log every keypress. ... Subject: User Auditing ...
      (RedHat)
    • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
      ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
      (freebsd-questions)
    • Re: DNS not resolving mail server for ADSL users
      ... > did I say my intention was to confuse, ... > to identify mail servers, so it better to set up one as ... > of even one SMTP server that will be looking for an MX ... Maybe the way you configure your mail servers, there is no need for internal ...
      (microsoft.public.win2000.dns)
    • Re: Which greylist milter is least maintenance
      ... If you have multiple mail servers and MX records a sending system, on receiving a tempfail, will try the next. ... If that also has greylisting it will move to the next until it has exhausted your mx list. ... If you have greylisting enabled on one but not all MX servers you effectively have no greylisting for sending systems that are smart enough to retry. ... If you have greylisting on all your systems and they each maintain their own database you effectively have greylisting from hell. ...
      (comp.mail.sendmail)
    • Re: Email Delivery Problems
      ... The Comcast residential TOS prohibits servers at all so even if you can use ... their mail servers as a Smart Host you'd be violating the TOS. ... SBS using Comcast Residential service on a double NIC, smtp, dns. ...
      (microsoft.public.windows.server.sbs)