Firewalls: [Fwd: Re: Gauntlet vs. Sidewinder]

Firewalls
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	[Fwd: Re: Gauntlet vs. Sidewinder]
From:	David Helms <david . helms @ checkpoint . com>
Organization:	CheckPoint Software Technologies
Date:	Thu, 03 Oct 1996 09:05:15 -0500
To:	firewalls @ GreatCircle . COM

Micheal,

Exactly right.  It can be a pop server.  This would mean that the pop 
session is initiated from inside the network.  Not from the DMZ.

You would not necessarily have to put it on a separate DMZ  machine.  It 
could be on the firewall, but I generally recommend to my customers to 
keep services off the firewall.

David
-- 
__________________________________
 David Helms
 Senior Technical Consultant
 CheckPoint Software Technologies
 ph 703.684.4824
 fx 703.684.4847
 davidh @
 checkpoint .
 com
__________________________________

--- Begin Message ---

Subject:	Re: Gauntlet vs. Sidewinder
From:	"Michael Endrizzi" <mje @ intersec-comm . com>
Date:	Thu, 3 Oct 1996 02:10:59 -0500
To:	"David Helms" <david . helms @ CheckPoint . COM>

if dmz can't send mail to internal network, then it better
be a pop server. 

in addition, if i buy a fw-1, does that mean i have to buy
another machine and configure it myself just to "secure"
email.

----------
> From: David Helms <david .
 helms @
 checkpoint .
 com>
> To: jeromie @
 garrison .
 com
> Cc: firewalls @
 GreatCircle .
 COM
> Subject: Re: Gauntlet vs. Sidewinder
> Date: Wednesday, October 02, 1996 11:07 PM
> 
> Jeromie wrote,
> 
> >(Many leading emails deleted)
> >
> 
> >         I would be interested in hearing how checkpoint is securing
their
> > customers from SMTP based attacks!  From what I have seen, they simply
pass it
> > through to a mail machine... If that mail machine happends to be
running
> > Sendmail 4.1, the attacker can blow holes right through the
perimiter....?
> > 
> > Jeromie Jackson
> > Garrison Technologies
> > jeromie @
 garrison .
 com
> > 
> > Keep the flames burning.
> 
> Jeromie,
> 
> It's the firewall's responsibility to control access and pass protocols
securely.
> If the customer has a server that they are going to allow public access
to, we
> recommend that they isolate that server in a DMZ.  This could be a mail
server or
> a web server, or whatever.
> 
> Here's how it works:
> 
> 
> [External Net]----[Firewall]----[Internal Net]
>                        |
>                        |
>                    [DMZ Net]
> 
> They key here is that you can limit access to specific DMZ servers to
specific
> services.  You can log connection attempts to specific DMZ servers and
most
> important, you only allow connections to DMZ servers, not connections
from DMZ
> servers.  You never allow connections originating from outside the
inernal network
> to enter into the internal network.  That way, even if a DMZ server gets
hacked,
> it can't be used as a launching point to attack the good stuff, the
internal network.
> 
> Have a great day,
> 
> David Helms
> a launching platform into the secure network.
> 
> 
> 
> 
> -- 
> __________________________________
>  David Helms
>  Senior Technical Consultant
>  CheckPoint Software Technologies
>  ph 703.684.4824
>  fx 703.684.4847
>  davidh @
 checkpoint .
 com
> __________________________________

--- End Message ---

Indexed By Date	Previous:	Re: Information Seeking From: Chip Coy <coy @ coy . com>
Indexed By Date	Next:	RE: NT Security From: gary flynn <gary @ habanero . jmu . edu>
Indexed By Thread	Previous:	RE: PIX (CISCO) -Reply From: Mike Rogers <mprogers @ state . ut . us>
Indexed By Thread	Next:	[Fwd: Re: Gauntlet vs. Sidewinder] From: David Helms <david . helms @ checkpoint . com>