Firewalls breaking stuff: [Was re: fwtk]

["Marcus J. Ranum" <mjr () ranum com>]

Charles W. Swiger wrote:
> To focus more on topics more relevant for this list, one of the biggest problems certain firewalls and mail proxies 
> have is that they break the SMTP protocol.  For example, Cisco's PIX (with MailGuard?) attempts to proxy SMTP and 
> breaks the state machine defined in RFC-821 or -822, as well as preventing ESMTP and violating the SMTP banner 
> requirements.

This comes up periodically - and it's the focus of considerable stress for firewall
product builders who care about security. What should a firewall do with things
that are specified in an RFC that are stupid? Obviously, something has to break.
Historically, I've never felt remorse over violating RFCs where they are stupid. After
all, they say right in the RFC "this RFC does not address security" which means
that any system which _does_ address security need not concern itself with the
RFC. ;)

When I broke FTP bouncing in fwtk and broke FTP server side low-port binding,
I had a flurry of complaints that I was trampling on RFCs. I believe that I was
retroactively fixing them - standards are not something handed down by a
priesthood; they're just advice from a bunch of standards pukes who "do not
address security"   If you're trying to address security it's entirely acceptable
and, indeed, the only option, to implement a subset of a dangerous protocol.

mjr.
---
Marcus J. Ranum - Computer and communications Security Expertise
mjr () ranum com  (http://www.ranum.com)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards