Re: Cisco PIX fixup protocol command
From: Jamie Pratt (jamie_at_nucdc.org)
Date: 02/11/04
- Previous message: Jennifer Fountain: "Securing webmail - changing a port necessary to ensure security?"
- In reply to: S.Rohit: "Cisco PIX fixup protocol command"
- Next in thread: Brian Ford: "Re: Cisco PIX fixup protocol command"
- Reply: Brian Ford: "Re: Cisco PIX fixup protocol command"
- Reply: Joey Peloquin: "RE: Cisco PIX fixup protocol command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Feb 2004 13:48:34 -0500 To: security-basics@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The fixup means that it will add stateful connection tracking to the
protocol/port you desire. This keeps the firewall from using more
resources than necessary, and I would imagine speeds things up as well.
~ As far as SMTP goes, it's often recommended NOT to use it - Basically,
commands like EHLO (instead of HELO, which MANY mail clients use
instead) will not work, ESMTP breaks, etc, etc.. (At least on Qmail
servers anyhow - not sure about the others - it also hides the SMTP
banner with XXXX's, which is good of course, but at the expense of
[possibly] losing email, depending on your mail server type.)
As far as security implications of 'no fixup', I'm guessing the
tcp-sequencing numbers would probably be easier to guess, which as most
know, is a difficult way to hack a firewall anyhow... - personally, I
would think it would be more secure, not less..? (I could be wrong..
comments?)
the syntax of 'no fixup protocol service port', basically means to treat
that port/service/protocol as non-stateful, meaning all the packets will
have to traverse the ruleset, just adding overhead to the firewall in
general. I may be wrong here, but I believe that is really all there is
to it...
there is a mailing list out there called fw-wiz, or 'firewall wizards',
(not sure of the URL sorry) which is probably better able to answer this
in more detail..
regards,
jamie
S.Rohit wrote:
| hi everyone....
|
| might sound like a very stupid question to ask, but i am looking
for info
| on wat is the use of fixup protocol commands on the Cisco PIX device.
wat is
| the exact usage and significance of this commands? and wat are the
security
| implications of this command? i know that some fixup's like say fixup
protocol
| smtp are good cos of the way they restrict the SMTP command set but
how about
| the general syntax [no] fixup protocol [service] [port]? what is this
used for
| and wat are the security implications for this?
|
| i am asking this because i'm seeing a recommendation in some PIX
hardening
| guide to disable fixups or they flag fixups as a security issue? y is
tat?
|
| rohit
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAKnkAFnM/ewGVQ7IRAh+/AJ9YK21FgBto+d2wzVesZ6VMWOY/jQCeOJqb
Bx71GObl/YaaYWHi829mz1w=
=HfLd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
- Previous message: Jennifer Fountain: "Securing webmail - changing a port necessary to ensure security?"
- In reply to: S.Rohit: "Cisco PIX fixup protocol command"
- Next in thread: Brian Ford: "Re: Cisco PIX fixup protocol command"
- Reply: Brian Ford: "Re: Cisco PIX fixup protocol command"
- Reply: Joey Peloquin: "RE: Cisco PIX fixup protocol command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
