Exactly right. It can be a pop server. This would mean that the pop
session is initiated from inside the network. Not from the DMZ.
You would not necessarily have to put it on a separate DMZ machine. It
could be on the firewall, but I generally recommend to my customers to
keep services off the firewall.
Senior Technical Consultant
CheckPoint Software Technologies
--- Begin Message ---
if dmz can't send mail to internal network, then it better
be a pop server.
in addition, if i buy a fw-1, does that mean i have to buy
another machine and configure it myself just to "secure"
> From: David Helms <david .
> To: jeromie @
> Cc: firewalls @
> Subject: Re: Gauntlet vs. Sidewinder
> Date: Wednesday, October 02, 1996 11:07 PM
> Jeromie wrote,
> >(Many leading emails deleted)
> > I would be interested in hearing how checkpoint is securing
> > customers from SMTP based attacks! From what I have seen, they simply
> > through to a mail machine... If that mail machine happends to be
> > Sendmail 4.1, the attacker can blow holes right through the
> > Jeromie Jackson
> > Garrison Technologies
> > jeromie @
> > Keep the flames burning.
> It's the firewall's responsibility to control access and pass protocols
> If the customer has a server that they are going to allow public access
> recommend that they isolate that server in a DMZ. This could be a mail
> a web server, or whatever.
> Here's how it works:
> [External Net]----[Firewall]----[Internal Net]
> [DMZ Net]
> They key here is that you can limit access to specific DMZ servers to
> services. You can log connection attempts to specific DMZ servers and
> important, you only allow connections to DMZ servers, not connections
> servers. You never allow connections originating from outside the
> to enter into the internal network. That way, even if a DMZ server gets
> it can't be used as a launching point to attack the good stuff, the
> Have a great day,
> David Helms
> a launching platform into the secure network.
> David Helms
> Senior Technical Consultant
> CheckPoint Software Technologies
> ph 703.684.4824
> fx 703.684.4847
> davidh @
--- End Message ---