Bugtraq mailing list archives
Re: Fw: Fw: No Security is Bad Security
From: jon () OAKTREE CO UK (Jon Ribbens)
Date: Sat, 13 Feb 1999 17:02:17 +0000
Jim Maze <jmaze () EZSAFE COM> wrote:
That's funny. How can the PIX be certified as conforming to any "Application Level Firewall Protection Profile", when the PIX is not an application lever firewall? As you know the PIX is based on stateful packet filtering - not application layer proxies.
This is wrong. The PIX has 'protocol fixups' which are application-level filters. I cannot find any documentation on what they do, though.
Here's the problem with the PIX, and any other packet filter - stateful or not. The darn things don't break the client server connections. Every network in the world has at least one mail server and one web server. With a PIX, you have to have an ACL entry that allows port 25 to the mail server and port 80 and possibly 443 to the web server. The problem is, any traffic that meets these basic requirements will pass right through unrestricted.
Definitely wrong. Here, for example, is a connection to sendmail via a PIX firewall: <<< 220 SMTP/cmap ready______________________________________________________
HELP
<<< 500 Command unrecognized: "XXXX" The PIX is replacing any data it doesn't think we need to know with underlines, (e.g. the sendmail banner), and replacing any commands it doesn't think are necessary with Xs. Cheers Jon -- \/ Jon Ribbens / jon () oaktree co uk
Current thread:
- Re: Fw: Fw: No Security is Bad Security Jim Maze (Dec 09)
- Re: Fw: Fw: No Security is Bad Security Jon Ribbens (Feb 13)
- <Possible follow-ups>
- Fw: No Security is Bad Security Scott Seidler (Feb 03)
- Re: Fw: No Security is Bad Security Jim Maze (Feb 04)
- Fw: Fw: No Security is Bad Security Scott Seidler (Feb 08)