Firewalls: Re: Cisco PIX

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Cisco PIX
From:	"Robert J. Brown" <rjb @ calyx . net>
Date:	Thu, 28 Nov 1996 02:22:19 -0500 (EST)
To:	Mike Shaver <shaver @ neon . ingenia . ca>
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<199611280559 . AAA01277 @ neon . ingenia . ca>

On Thu, 28 Nov 1996, Mike Shaver wrote:

> Thus spake Robert J. Brown:
> > And no, it is not a good idea to put the mailhub in the DMZ. Regardless of
> > where you put it, sensitive corporate data is located on that machine. It
> > should be inside the perimiter and incoming and outgoing mail proxied.
> 
> Only if you've got sensitive corporate data travelling outside your
> firewall in the clear.  Which is, as you would say, bad bad bad.
> 

If it is your corporate mailhub, I would assume it contains sensitive
information. If you aren't using some form of an smtp proxy, an evil
attacker can talk to your mailhub. If they can talk to your mailhub, odds 
are they can wreck havoc on sendmail. Mail has to get to the inside
somehow, and without something to mitigate the risk you are asking for
trouble. 

Again, I'm not saying Cisco didn't implement something like this. I don't
know for sure. That's why I posed the question. What DOES PIX do to
protect your internal network's sendmail? What type of proxying is done?
Can an outside host EVER directly speak with sendmail?

Robert J. Brown
rjb @
 calyx .
 com

Follow-Ups:

Re: Cisco PIX
From: "Craig I. Hagan" <hagan @ cih . com>

References:

Re: Cisco PIX
From: Mike Shaver <shaver @ neon . ingenia . ca>

Indexed By Date	Previous:	Re: Cisco PIX From: Mike Shaver <shaver @ neon . ingenia . ca>
Indexed By Date	Next:	Re: IP numbers end From: Corneliu Tanasa <cornel @ logicnet . ro>
Indexed By Thread	Previous:	Re: Cisco PIX From: Mike Shaver <shaver @ neon . ingenia . ca>
Indexed By Thread	Next:	Re: Cisco PIX From: "Craig I. Hagan" <hagan @ cih . com>