> Fair warning: Probably most reader of this
> list know by now that I favor the PIX/Firewall-1/SPF/NAT
> type solutions..though I am just a user. I have no
> stake in Cisco or Checkpoint.
>
> The case you mentioned below about the mail server..
> Yes, out of the box, you are reliant totally on the built-in
> security of the mail server, so keep up on your sendmail
> hole-of-the-week. In most cases, for FW-1 or PIX, for servers,
> you need to rely on the host security of the server for the
> ports you are "publishing." PIX and FW-1 will block all
> the other ports, same as router ACLs.
>
Food for thought for people like Cisco/FW1... If you were to just make
a Mail Transport Agent for the hub, and provide it along with the product,
people like me could not bitch, and you could say you covered the bases. I did
note in one of the earlier posts from Cisco that they are indeed working on it.
> However, I did say out of the box... Apparantly PIX and FW-1
> can go "deeper" into the connection if need be.. they can
> deal with protocols that embed the addresses in the data field,
> like FTP. FW-1 has add-ons that will do things like virus
> scanning, stripping out java and active-x code, content
> censoring etc.. So they *can* do the equivalent of an
> application proxy..if you ask them to. But, basically by default
> it will do the lowest level filtering that it has to for speed reasons.
> Also, you don't get things like a log of URLs (by default) like
> you can easily do with a traditional proxy.
Hmm, I would be interested in comparing audit data to see where, if any
data is lacking between the 2 technologies.
>
> So, back to the mail question, it doesn't check for evil
> things in the connection stream, but it could. I think this
> is the complaint the most of the people who prefer
> proxy-like things have... that PIX and FW-1 don't
> assume they have to do a full-blown proxy for
> most connection types. A full proxy that
> assumes the worst should be more secure than
> a PIX or FW-1 that assumes the least, if you consider
> one connection only.
>
> In my case, I prefer FW-1, because I allow a whole
> lot of protocols out..and one cohesive solution
> makes better security sense than the equivalent
> number of proxies. If I was doing just HTTP, a proxy
> would make better sense..but it would be hard to convince
> me that a whole bank of different proxies in parallel would
> have fewer security holes than the FW-1.
>
> Sorry to babble on...this SPF vs. Proxy issue comes up a lot.
> Should we write a FAQ, perhaps debate style, that deals
> with the issue?
>
Hmm, That is a great idea.. We should put one together, and toss it
around the list until it is made clear.
Jeromie Jackson
Garrison Technologies
jeromie @
garrison .
com
> Ryan
> ---------- Previous Message ----------
> To: firewalls, dochin
> cc: lazar, mhoward, froys, jlw, afoss, amittal
> From: jeromie @ garrison.com (Jeromie Jackson) @ smtp
> Date: 12/04/96 11:55:22 AM
> Subject: Re: Cisco's PIX Firewall
>
> > To clarify the PIX Firewall, it is not a packet filter. It is a dedicated
> > security device, built with one purpose in mind -- securing the private LAN
> > to the Internet.
> >
>
> Hmm, from what I've seen, it certainly does qualify as an IP filtering
> device. It bases its ACLs on header information, namely src,port,dst,port.flags
> It obviously is not an application level gateway, therefore you may be competing
> with TIS/Raptor for market share, although it is quite different technology.
> It appears to be a packet filtering device that has NAT capabilities...
>
> > We are in fact directly in competition with Checkpoint, Raptor, TIS, etc.
> > The "cut-through proxy" feature provides a significant performance
> > enhancement to the security function since users are authenticated at the
> > application layer. Once authenticated, the process flow shifts back to the
> > network layer which provides the high performance.
>
> I would have to agree that most likely there is a performance
> enhancement by using PIX instead of an application level gateway. My question
> would be, if the PIX product is a firewall, how it it securing the
> sendmail/mail transport agent for the customers? When mail comes inbound,
> it has to speak to something.. Since PIX does not have a MTA itself, obviously
> another box is required. If this is so, the level of security of the MTA is
> crutial... This seems to be a bad thing.
>
> Also, using something like PIX, is there features that allow filtering
> of data such as email-content, or java/javascript? What about time based
> access control? Or what about data reduction utilities to utilize the syslog
> information that I would assume the PIX can provide...?
>
> Jeromie Jackson
> Garrison Technologies
> jeromie @
garrison .
com
>
>
>
>
Follow-Ups:
|
|
