> Jeromie wrote,
> >(Many leading emails deleted)
> > I would be interested in hearing how checkpoint is securing their
> > customers from SMTP based attacks! From what I have seen, they simply pass it
> > through to a mail machine... If that mail machine happends to be running
> > Sendmail 4.1, the attacker can blow holes right through the perimiter....?
> > Jeromie Jackson
> > Garrison Technologies
> > jeromie @
> > Keep the flames burning.
> It's the firewall's responsibility to control access and pass protocols securely.
> If the customer has a server that they are going to allow public access to, we
> recommend that they isolate that server in a DMZ. This could be a mail server or
> a web server, or whatever.
> Here's how it works:
> [External Net]----[Firewall]----[Internal Net]
> [DMZ Net]
> They key here is that you can limit access to specific DMZ servers to specific
> services. You can log connection attempts to specific DMZ servers and most
> important, you only allow connections to DMZ servers, not connections from DMZ
> servers. You never allow connections originating from outside the inernal network
> to enter into the internal network. That way, even if a DMZ server gets hacked,
> it can't be used as a launching point to attack the good stuff, the internal network.
> Have a great day,
> David Helms
> a launching platform into the secure network.
My point is this:
1) People generally have their SMTP server sitting somewhere within
the "[Internal Net]". The firewall would say something like "We only allow
connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting
inside, the perimiter is broken.
2) If the internet SMTP gateway sits on the DMZ, and the customer
has several internal SMTP gateways that distribute all the mail, then again,
the SMTP gateway on the DMZ would have access to send data to the inside SMTP
hosts, thus providing information flow. If the internal SMTP gateways are
vulerable to attack (IE: version of sendmail that have problems, IE: ALL) then
again, the perimiter is broken.
If I am not seeing something here, please clarify it for us all.