Bugtraq mailing list archives
RE: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint fire wall]
From: "Corey J. Steele" <csteele () good-sam com>
Date: 26 Feb 2002 10:29:19 -0600
Peter, One more thing I was thinking of... wouldn't it make quite a bit of difference as to what the value of the "proxy_behind" token in /etc/iscan/intscan.ini is set to? I've got mine set to no, and have told InterScan that it is not to act as a proxy but rather it is to pass proxy requests off to localhost:3128, thus InterScan only scans http traffic coming to and going from that proxy server (in this case, this is our parent proxy server, so everything coming from one of the child proxies goes here first -- to be scanned and to check the parent cache.) Not sure if this clears it up, but basically I believe this is a "proper" configuration, furthermore, we've stopped several viruses with this configuration in place, and it is not suceptible to the CONNECT flaw that Interscan seems to otherwise be suceptible to. Best Regards, Corey On Mon, 2002-02-25 at 15:50, Peter Bieringer wrote:
--On Monday, February 25, 2002 03:26:16 PM -0600 "Corey J. Steele" <csteele () good-sam com> wrote:We have VirusWall listening on port 8080, and then sending non-viruslaced requests to a SmartFilter-enabled SQUID proxy. All systems are Linux based -- most are Red Hat 6.2, with latest applicable patches. We built squid ourselves to include SmartFilter. Hopefully this helps...Hmm, will you say that if interscan uses as second stage a squid, the interscan HTTPS-proxy is disabled? Otherwise following message should be imho displayed after a CONNECT: HTTP/1.0 200 Connection established Proxy-agent: InterScan 2.0[csteele@ws47619 csteele]$ telnet viruswall 8080 Trying XXX.XXX.XXX.XXX... Connected to viruswall. Escape character is '^]'. CONNECT mailserver:25 / HTTP/1.0 HTTP/1.0 403 ForbiddenFor me it looks like more: client -> squid -HTTP-> viruswall -> internet -CONNECT -> internet But this is what I understand you've described: client -> interscan -> squid -HTTP-> -> internet -CONNECT -> internet TIA, Peter
-- Information Security Analyst Good Samaritan Society e-mail: csteele () good-sam com voice: (605) 362-3899 PGP Key fingerprint = 564F 2A97 2ADA F492 F34C 8E4A 12AF 9DC3 400E 2DD6
Current thread:
- RE: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint fire wall] Corey J. Steele (Mar 01)