Great Circle Associates Firewalls
(June 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: CheckPoint Firewall-1 V. 2.1
From: "Edkins, Rob - Axon AKL" <edkinsr @ axon . co . nz>
Date: Tue, 10 Jun 1997 08:24:36 +1200
To: "'Craig Brozefsky'" <craig @ onshore . com>
Cc: "'martin @ nii . ncb . gov . sg'" <martin @ nii . ncb . gov . sg>, "'Francisco Lopez (Infovia)'" <flopez @ iv1 . infovia . com . gt>, "'firewalls @ GreatCircle . COM'" <firewalls @ GreatCircle . COM> 
The SMTP Security Server from Firewall 1 V3.0 can parse any of the SMTP
message header fields.

In addition, you can do wildcard matches and rewriting actions (eg,
change user @
 xyz .
 com to user @
 zyx .
 com)

There is also a hook into a Cheyenne Innoculan add-in supplied with
V3.0, although it doesn't scan attachments.

Documentation isn't great, but it's not too difficult to set up.

I take your point about the NT SMTP PO, although maybe putting it in a
DMZ and controlling access to it is better than just letting SMTP
through to the secure side for Checkpoint 2.1 users.

Putting an Exchange Server in the DMZ would be better, but expensive and
a pain if you want it to be part of your internal Exchange Site.

The idea of letting the appropriate NETBt calls for Exchange through the
firewall doesn't thrill me, although there is a paper on it on the
Checkpoint Web site. ( http://www.checkpoint.com )

Rgds,
Rob Edkins
Systems Consultant
Axon Computertime
E-Mail: edkinsr @
 axon .
 co .
 nz


>-----Original Message-----
>From:	Craig Brozefsky [SMTP:craig @
 onshore .
 com]
>Sent:	Monday, June 09, 1997 6:04 PM
>To:	Edkins, Rob - Axon AKL
>Cc:	'martin @
 nii .
 ncb .
 gov .
 sg'; 'Francisco Lopez (Infovia)';
>'firewalls @
 GreatCircle .
 COM'
>Subject:	RE: CheckPoint Firewall-1 V. 2.1
>
>On Mon, 9 Jun 1997, Edkins, Rob - Axon AKL wrote:
>
>> Upgrade to version 3.0 of Firewall 1 and use the SMTP Security Server
>> feature.
>> 
>> This acts as an SMTP Relay, accepting the mail, then queuing it on.
>
>Does it perform an address parsing etc...?
>
>> Big advantage of the security server is that nobody from outside touches
>> your Exchange box directly.
>
>Yup.
>
>> Yet another way would be to install the SMTP postoffice from the NT4
>> Server Resource kit onto your v2.1 firewall and configure this as a
>> relay.
>
>I think that would be a really bad idea.  Do not put code not specifically 
>designed to operate ina secure environment on a firewall.  NT4 postoffice 
>is not my idea of 'secure' smtp service and I certainly would not want it 
>running on a firewall.
>
>Craig Brozefsky              craig @
 onshore .
 com
>onShore Inc.                 http://www.onshore.com/~craig
>Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)
>
Indexed By Date Previous: Re: Stateful Packet Filters vs. Proxies
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Next: Re: robots.txt
From: Rafe Colburn <rafec @ burrito . insource . com>
Indexed By Thread Previous: RE: CheckPoint Firewall-1 V. 2.1
From: Craig Brozefsky <craig @ onshore . com>
Next: f/w kernel module in Solaris handling IP packets
From: FIREWALL <rajesh @ vishak . reccal . ernet . in>
Google
 
Search Internet Search www.greatcircle.com