At 11:06 AM 11/28/96 -0500, Craig I. Hagan wrote:
>> Again, I'm not saying Cisco didn't implement something like this. I don't
>> know for sure. That's why I posed the question. What DOES PIX do to
>> protect your internal network's sendmail? What type of proxying is done?
>> Can an outside host EVER directly speak with sendmail?
>
>can i try rewording some of this to the following: what if my security
>policy requires that certain applications not allow a direct circuit to an
>internet (hostile) host due to the potential risk of damage should the
>implementing software contain potential holes? Also, what is my security
>policy requires that not all features of certain applications be allowed,
>for example http is cool, java and/or activeX are not.
>
>>From what i've heard (cisco, et al, please correct me should i be wrong),
>the PIX firewall doesn't handle the second situation (application layer
>filtering). heck, very few firewalls out of the box handle it, especially
>in quickly evolving application spaces like the web.
we do use proxy technology as a way of doing authentication. As with our
multimedia support, we can handle some policy at the application layer.
Since our OS is actually a realtime embedded OS, we have high performance
(the kernal is approx. 10k bytes, we run from flash). The key is we are
stateful and on many protocols peek into the application layer, like vdo
live, cuseeme, IRC, ftp... Our cut-through technology gives us lots of
future flexibilities..
>
>could someone from cisco give an opinion on whether the following
>would be a reasonable use for their PIX firewall, and whether
>this is the intended use:
>
>'net ---- PIX --- proxy app server
> |
> |
> internal net
>
>thus the PIX machine (or competing product) could give me protocal layer
>protection for both the internal net and the proxy app server. the proxy
>app server would then handle certain applications which required
>additional action above and beyond what PIX,et al, provides -- http
>proxying/activeX blocking, perhaps it would might be a java VM which could
>execute java and relay display information to the desktop, etc, process
>mail to reduce the chance that someone could ship tainted binaries or
>whatever in attachments, etc etc etc. [note: if you want to argue the
>merits of the above kooky ideas, lets make it an offline thread, i'm
>making them up as i go]
we have some customers that do this.
Matt
>
>
>-- craig
>
>-------------------------------------------------------------------------------
>Craig I. Hagan "It's a small world, but I wouldn't want to back it up"
>hagan @
cih .
com "True hackers don't die, their ttl expires"
>
>
>
>
>
>
>
>
Matthew Howard
Product Line Manager mhoward @
cisco .
com
Internet Business Unit 408-526-4720 (voice)
Cisco Systems Inc. 408-527-8122 (fax)
170 West Tasman Drive
Building VM2 (corner of First & Vista Montana)
San Jose, CA 95134
|
|
