IMHO, I would think that you should not be running any other thing on the
firewall machine, and certainly NOT sendmail !!
I would recommend that you have a separate machine as the mail server
running on the DMZ instead.
As far as FW-1 is concerned it will allow SMTP traffic to pass so long as
your rule-base say so; it does not do any content filtering ; at least not
for V2.1.
TIS Gauntlet has a SMTP proxy (SMPAD) that you may want to take a look.
cheers!
Martin Khoo
pichel @
sdm .
de on 01/13/97 09:15:26 PM
Please respond to pichel @
sdm .
de
To: firewalls @
greatcircle .
com
cc: (bcc: Martin Khoo/SIN/Lotus)
Subject: Re: (fwd) Firewall-1 query
> On Thu, 10 Oct 1996 07:01:50 +0100 (BST), Jon Whitton
<jonw @
mountcomp .
co .
uk> wrote:
> >
> >I have been looking at firewall-1 as a security solution and have one
> >major query.
> >
> >It appears to work at the IP layer and basically allows or denys packets
> >depending on certain rules. (This is only from the Checkpoint web site.)
> >
> >My question is how does this secure say sendmail since sendmail will be
> >running directly on the firewall machine and not a proxy.
> >Surely if sendmail is running on the firewall then when (not if!) a new
> >bug is found in sendmail, this bug can just be exploited on the
firewall.
FW-1 doesn't secure sendmail in its protocol-layer (smtp). It just
restricts who
can speak smtp to whom. This _is_ unsecure regarding SMTP, of course.
Use smapd from TIS-FWTK (for free) or wait for Firewall-1 Release 3.0
which comes with content security (filters SMTP-commands and viruses).
J"org!
--
J"org Pichel |s |d &|m | software design & management
| | | | GmbH & Co. KG
| | | | Thomas-Dehler-Str. 27
joerg .
pichel @
sdm .
de | | | | 81737 Muenchen
Tel/FAX: (089) 63812-112/150
Follow-Ups:
|
|
