I would agree strongly with David here - I would never allow SMTP services
(proven the most buggy and difficult to secure) on any highly secure
firewall. Its the most uncontrollable and most difficult to monitor
service (its miserable wading through hundreds of legitimate connections
via SMTP to look for VRFY, EXPN, DEBUG, etc commands...and break in
attempts). A DMZ / bastion host system is the best solution for this.
On Wed, 2 Oct 1996, David Helms wrote:
> Date: Wed, 02 Oct 1996 23:07:34 -0500
> From: David Helms <david .
helms @
checkpoint .
com>
> To: jeromie @
garrison .
com
> Cc: firewalls @
GreatCircle .
COM
> Subject: Re: Gauntlet vs. Sidewinder
>
> Jeromie wrote,
>
> >(Many leading emails deleted)
> >
>
> > I would be interested in hearing how checkpoint is securing their
> > customers from SMTP based attacks! From what I have seen, they simply pass it
> > through to a mail machine... If that mail machine happends to be running
> > Sendmail 4.1, the attacker can blow holes right through the perimiter....?
> >
> > Jeromie Jackson
> > Garrison Technologies
> > jeromie @
garrison .
com
> >
> > Keep the flames burning.
>
> Jeromie,
>
> It's the firewall's responsibility to control access and pass protocols securely.
> If the customer has a server that they are going to allow public access to, we
> recommend that they isolate that server in a DMZ. This could be a mail server or
> a web server, or whatever.
>
> Here's how it works:
>
>
> [External Net]----[Firewall]----[Internal Net]
> |
> |
> [DMZ Net]
>
> They key here is that you can limit access to specific DMZ servers to specific
> services. You can log connection attempts to specific DMZ servers and most
> important, you only allow connections to DMZ servers, not connections from DMZ
> servers. You never allow connections originating from outside the inernal network
> to enter into the internal network. That way, even if a DMZ server gets hacked,
> it can't be used as a launching point to attack the good stuff, the internal network.
>
> Have a great day,
>
> David Helms
> a launching platform into the secure network.
>
>
>
>
> --
> __________________________________
> David Helms
> Senior Technical Consultant
> CheckPoint Software Technologies
> ph 703.684.4824
> fx 703.684.4847
> davidh @
checkpoint .
com
> __________________________________
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Daniel Blander =8^)
Sr. Systems Engineer Applied Computer Solutions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Phone: (714) 842.7800 Fax: (714) 842.8299
Email: Daniel .
Blander @
acsacs .
com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Official Applied Computer Solutions Home Page
and Tech Tip of the Week:
http://www.acsacs.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
|
|
