Firewall Wizards mailing list archives
Re: Re: Firewalls breaking stuff: [Was re: fwtk]
From: Paul Robertson <proberts () patriot net>
Date: Mon, 22 Jul 2002 14:30:14 -0400 (EDT)
On Mon, 22 Jul 2002, Charles W. Swiger wrote:
I agree that the two are very distinct things. Perhaps we're simply disagreeing about how common the requirement to provide remote mail access is...?
I believe that we are.
We all draw from past experiences; almost every company I've worked with has wanted remote mail access (90% plus), but only 25% or so wanted to go to a VPN or equivalent, although the latter is becoming more common nowadays.
I've been staunchly anti-VPN for a good number of years so far, and I can't say that my experiences aren't that >90% of places are looking at, deploying or already have some sort of VPN access.
It's true that the mail relay/reader box (or boxes; they don't have to be the same) has to be able to authenticate users, and you have to maintain the list as people join and leave. This would be true of any mail system (even one used internally), however.
There's a distinct difference between boxes MUAs connect to and gateways that the entire world might connect to- again we get to MJR's point about complexity and security systems.
Now people will send and receive mail on machines that the company doesn't own which may be trojaned...Why wouldn't the company own their machines?
You had the mail going out to an ISP-run MX box- I'm assuming the company doesn't own the ISP (farily typical of organizations which aren't part of a state or local government in my experience.)
If you want to provide complete internal access from a fixed remote location, then a VPN is a great solution. If you only want to provide email access from random rather than predetermined remote locations, VPNs seem less well suited.
Given that a lot of VPN solutions stop external connectivity to the box hitting the trusted service, I disagree.
Would plain text be better under any circumstances? (If so, why?)Plain text is better under circumstances where you're doing things with the data that don't have the ability to get the key, where local legal requirements make encryption prohibitive, where you want someone to access the data,These requirements you mention are orthogonal to the issue of whether encrypted passwords are better than plain text passwords from the standpoint of security.
Admittedly a very corner case, but not from an information warfare perspective- disinformation is as much a part of security in some realms as information.
FEATURE(`nocanonify') and relay email to your ISP's mailserver rather than doing DNS lookups locally?That would require all mail to be relayed, kind of taking away the value of the TLS unless you're in an organization that only has one or two domains- if the intent is for employees to be able to mail to other employees, the privacy is probably as important as the authentication, no?Why would you do that? Of course you wouldn't relay internal mail outside!
I spent a lot of the last few years working at or with very large companies, where figuring out what was "internal" wasn't trivial even based on address- that's why adding an ISP's mailserver is to me not a good option- it's been my experience that it's easier to have mail intercepted at an ISPs server than it is off a backbone link.
However, all Internet-bound email is going to be relayed outside in any event, thus your mailserver(s) can avoid performing DNS lookups by handing the mail to the ISP's mailserver(s), instead.
Would that all the networks I inherited over there years were so simply crafted. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles Swiger (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul D. Robertson (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- <Possible follow-ups>
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Dana Nowell (Jul 23)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 23)
- Message not available
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Dana Nowell (Jul 23)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul D. Robertson (Jul 20)