Re: Cisco PIX fixup protocol command
From: Brian Ford (brford_at_cisco.com)
Date: 02/12/04
- Previous message: Stephen C. Gay: "Update: SMB enumation in Win2000/03"
- In reply to: Jamie Pratt: "Re: Cisco PIX fixup protocol command"
- Next in thread: Joey Peloquin: "RE: Cisco PIX fixup protocol command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 12 Feb 2004 11:07:58 -0500 To: jamie@nucdc.org
Jamie,
>The fixup means that it will add stateful connection tracking to the
>protocol/port you desire. This keeps the firewall from using more
>resources than necessary, and I would imagine speeds things up as well.
This is incorrect. The PIX is a stateful firewall and maintains state on
all traffic going through the Firewall; whether a fixup exists or
not. Note that this is "going through". The PIX maintains state of
connections for traffic that was passed. The PIX doesn't maintain state
for traffic that was dropped (because there is no connection).
The use of fixups has no significant impact on resources. In some
instances where addresses are be translated the PIX might temporarily
allocate some memory to make a copy of packet.
The use of fixups usually impacts performance based on the ratio of packets
that match the protocol type versus the total amount of traffic that is
being passed and based on the fixups (some do more than others).
The reason why a security evaluation might result in a recommendation to
remove certain PIX fixups is simple. The evaluation may have found that
there was no need for those types of traffic to be processed through the
firewall. If you have a security policy that does not permit SMTP; there
is no need to have the SMTP fixup enabled.
I hope this helps.
Liberty for All,
Brian
At 01:48 PM 2/11/2004 -0500, Jamie Pratt wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>The fixup means that it will add stateful connection tracking to the
>protocol/port you desire. This keeps the firewall from using more
>resources than necessary, and I would imagine speeds things up as well.
>~ As far as SMTP goes, it's often recommended NOT to use it - Basically,
>commands like EHLO (instead of HELO, which MANY mail clients use
>instead) will not work, ESMTP breaks, etc, etc.. (At least on Qmail
>servers anyhow - not sure about the others - it also hides the SMTP
>banner with XXXX's, which is good of course, but at the expense of
>[possibly] losing email, depending on your mail server type.)
>
>As far as security implications of 'no fixup', I'm guessing the
>tcp-sequencing numbers would probably be easier to guess, which as most
>know, is a difficult way to hack a firewall anyhow... - personally, I
>would think it would be more secure, not less..? (I could be wrong..
>comments?)
>
>the syntax of 'no fixup protocol service port', basically means to treat
>that port/service/protocol as non-stateful, meaning all the packets will
>have to traverse the ruleset, just adding overhead to the firewall in
>general. I may be wrong here, but I believe that is really all there is
>to it...
>
>there is a mailing list out there called fw-wiz, or 'firewall wizards',
>(not sure of the URL sorry) which is probably better able to answer this
>in more detail..
>
>regards,
>jamie
>
>S.Rohit wrote:
>
>| hi everyone....
>|
>| might sound like a very stupid question to ask, but i am looking
>for info
>| on wat is the use of fixup protocol commands on the Cisco PIX device.
>wat is
>| the exact usage and significance of this commands? and wat are the
>security
>| implications of this command? i know that some fixup's like say fixup
>protocol
>| smtp are good cos of the way they restrict the SMTP command set but
>how about
>| the general syntax [no] fixup protocol [service] [port]? what is this
>used for
>| and wat are the security implications for this?
>|
>| i am asking this because i'm seeing a recommendation in some PIX
>hardening
>| guide to disable fixups or they flag fixups as a security issue? y is
>tat?
>|
>| rohit
>|
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (MingW32)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFAKnkAFnM/ewGVQ7IRAh+/AJ9YK21FgBto+d2wzVesZ6VMWOY/jQCeOJqb
>Bx71GObl/YaaYWHi829mz1w=
>=HfLd
>-----END PGP SIGNATURE-----
>
>---------------------------------------------------------------------------
>Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
>Protect your network with the comprehensive security solution that
>integrates six applications for ease of use and lower TCO.
>
>Firewall - Virus protection - Spam protection - URL blocking - VPN
>- Wireless security.
>
>Download 30-day evaluation at:
>http://www.astaro.com/php/contact/securityfocus.php
>----------------------------------------------------------------------------
>
Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/
The opinions expressed in this message are those of the author and not
necessarily those of Cisco Systems, Inc..
This email address is transmitted from San Jose, California, U.S.A..
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
- Previous message: Stephen C. Gay: "Update: SMB enumation in Win2000/03"
- In reply to: Jamie Pratt: "Re: Cisco PIX fixup protocol command"
- Next in thread: Joey Peloquin: "RE: Cisco PIX fixup protocol command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
