Firewalls: Re: PIX and FW-1 (packet filter Question)

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: PIX and FW-1 (packet filter Question)
From:	Craig Brozefsky <craig @ onshore . com>
Date:	Thu, 5 Jun 1997 22:38:10 -0500
To:	Firewalls @ GreatCircle . COM
In-reply-to:	<Pine . BSF . 3 . 96 . 970605140358 . 13267H-100000 @ live-oak . cycon . com>

On Thu, 5 Jun 1997, Cy Ardoin wrote:

> On Thu, 5 Jun 1997, Jonathan M. Bresler wrote:
> 
> > 
> > >I don't think there is anything an application firewall can
> > >do that can't also be done by a "packet filter" firewall.  The
> > 
> > 	trivial example:
> > 	a smtp application level proxy can disable the "debug" command
> > for every sendmail behind that firewall.
> 
> Finding and removing the "debug" command from smtp connections at the 
> packet layer isn't much different than finding and altering the PORT and
> PASV part of the FTP command  and all the NAT style packet filters
> modify the FTP commands.  It's not something packet filters do, but
> it is no more difficult than many of the things they already do.

Uhm, how about provide authentication at the firewall, like SecureID 
(yuck) or CryptoCard, or even just APOP for a POP3 proxy?

How about provide a SMTP deamon capable of accepting mail, but not 
requiring anything more than putting it into a directory for another, non 
priveledged deamon to forward toa full features MTA that is unnaccesable 
to the outside world?  This SMTP deamon on the firewall being a very 
simple beast and leaving much less room for fuckup in code, deisgn, then 
let's say, letting packets go thru to a full featured MTA, like uhm, 
sendmail maybe or Exchange, or Netscape's Mail Server, and having to 
modify your packet to block out attacks as they are published.  Surely 
alot more work than putting SMAPD on your firewall and not having to 
worry about tracking bugs in your full MTA (or at least a very large 
class of bug).

Or filter HTTP based on MIME type and response size.

Hand waving and 'well it could' doesn't get you much of anywhere tho, not 
to imply that this is what your doing, but just pointing out that theory 
is wonderful and very useful, but when it comes to 'capabilities' 
assesments like this, it's often better to stay within the somewhat 
agreed upon realm of reality.

Craig Brozefsky              craig @
 onshore .
 com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)

References:

Re: PIX and FW-1 (packet filter Question)
From: Cy Ardoin <ardoin @ cycon . com>

Indexed By Date	Previous:	FW: [FW1] Out of Band Data Attack against NT-Hosts From: rabbi @ www . valuu . net (Rabbi Haim Cassorla)
Indexed By Date	Next:	Re: Limiting Mail size.. From: "Jim Jones" <jim . jones @ gtri . gatech . edu>
Indexed By Thread	Previous:	Re: PIX and FW-1 (packet filter Question) From: "Jonathan M. Bresler" <jmb @ FRB . GOV>
Indexed By Thread	Next:	Re: PIX and FW-1 (packet filter Question) From: Eric Vyncke <evyncke @ cisco . com>