Firewalls: Re: Cisco PIX

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Cisco PIX
From:	"Craig I. Hagan" <hagan @ cih . com>
Date:	Thu, 28 Nov 1996 11:06:11 -0500 (EST)
To:	"Robert J. Brown" <rjb @ calyx . net>
Cc:	Mike Shaver <shaver @ neon . ingenia . ca>, Firewalls @ GreatCircle . COM
In-reply-to:	<Pine . BSF . 3 . 95 . 961128021447 . 21578B-100000 @ mojo . calyx . net>
Reply-to:	hagan @ cih . com

> Again, I'm not saying Cisco didn't implement something like this. I don't
> know for sure. That's why I posed the question. What DOES PIX do to
> protect your internal network's sendmail? What type of proxying is done?
> Can an outside host EVER directly speak with sendmail?

can i try rewording some of this to the following: what if my security
policy requires that certain applications not allow a direct circuit to an
internet (hostile) host due to the potential risk of damage should the
implementing software contain potential holes? Also, what is my security
policy requires that not all features of certain applications be allowed,
for example http is cool, java and/or activeX are not. 

>From what i've heard (cisco, et al, please correct me should i be wrong),
the PIX firewall doesn't handle the second situation (application layer
filtering). heck, very few firewalls out of the box handle it, especially
in quickly evolving application spaces like the web. 

could someone from cisco give an opinion on whether the following
would be a reasonable use for their PIX firewall, and whether
this is the intended use:

'net ---- PIX --- proxy app server
           |
           |
        internal net

thus the PIX machine (or competing product) could give me protocal layer
protection for both the internal net and the proxy app server.  the proxy
app server would then handle certain applications which required
additional action above and beyond what PIX,et al, provides -- http
proxying/activeX blocking, perhaps it would might be a java VM which could
execute java and relay display information to the desktop, etc, process
mail to reduce the chance that someone could ship tainted binaries or
whatever in attachments, etc etc etc. [note: if you want to argue the
merits of the above kooky ideas, lets make it an offline thread, i'm
making them up as i go]
 

-- craig

-------------------------------------------------------------------------------
Craig I. Hagan     "It's a small world, but I wouldn't want to back it up"
hagan @
 cih .
 com	        "True hackers don't die, their ttl expires"

Follow-Ups:

Re: Cisco PIX
From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>

References:

Re: Cisco PIX
From: "Robert J. Brown" <rjb @ calyx . net>

Indexed By Date	Previous:	Routing in a network behind a firewall From: Chris Michael <cm @ rmsbus . com>
Indexed By Date	Next:	Re: How to secure a Webpage? From: Craig McLellan <mclelcl @ onto . network . com>
Indexed By Thread	Previous:	Re: Cisco PIX From: "Robert J. Brown" <rjb @ calyx . net>
Indexed By Thread	Next:	Re: Cisco PIX From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>