Just a few comments on PIX.
** Chris Lonvick said:
> So, as the same example, when you telnet to something on the Internet
>(unlike the typical proxy firewalls, you will use the IP address of the
>actual device you want to get to; not the address of the PIX), the PIX
>will get in the way of the session and ask for authentication
>(username/password). This must be used with a TACACS or Radius server
>since the PIX does not maintain user information on itself.
Transparency for proxy firewalls has been available for quite some time.
Gauntlet, Eagle, Black Hole, and every other commercial proxy firewall I
know of supports transparent access to the Internet.
So PIX puts all of its trust in TACACS and Radius? If the authentication
server runs on a different machine, that would mean the firewall trusts
something. Having the firewall trust *ANYTHING* is bad bad bad.
On another note.. if there is an SMTP server behind PIX, what is to
prevent someone from exploiting a remote vulnerability and gaining root
access on a machine inside the perimiter? What is to protect them? Since
PIX isn't a proxy firewall, I am assuming that no proxying is done and
outside users are permitted to connect directly to the mail hub. Bad bad
bad.
And no, it is not a good idea to put the mailhub in the DMZ. Regardless of
where you put it, sensitive corporate data is located on that machine. It
should be inside the perimiter and incoming and outgoing mail proxied.
Robert J. Brown
rjb @
calyx .
com
Follow-Ups:
|
|
