At 02:22 AM 11/28/96 -0500, Robert J. Brown wrote:
>
>
>On Thu, 28 Nov 1996, Mike Shaver wrote:
>
>> Thus spake Robert J. Brown:
>> > And no, it is not a good idea to put the mailhub in the DMZ. Regardless of
>> > where you put it, sensitive corporate data is located on that machine. It
>> > should be inside the perimiter and incoming and outgoing mail proxied.
>>
>> Only if you've got sensitive corporate data travelling outside your
>> firewall in the clear. Which is, as you would say, bad bad bad.
>>
>
>If it is your corporate mailhub, I would assume it contains sensitive
>information. If you aren't using some form of an smtp proxy, an evil
>attacker can talk to your mailhub. If they can talk to your mailhub, odds
>are they can wreck havoc on sendmail. Mail has to get to the inside
>somehow, and without something to mitigate the risk you are asking for
>trouble.
>
>Again, I'm not saying Cisco didn't implement something like this. I don't
>know for sure. That's why I posed the question. What DOES PIX do to
>protect your internal network's sendmail? What type of proxying is done?
>Can an outside host EVER directly speak with sendmail?
We use a static conduit that is stateful.
Matt
>
>Robert J. Brown
>rjb @
calyx .
com
>
>
>
>
>
|
|
