Re: Re: Firewalls breaking stuff: [Was re: fwtk]

[Paul Robertson <proberts () patriot net>]

On Mon, 22 Jul 2002, Charles W. Swiger wrote:

> I agree that the two are very distinct things.  Perhaps we're simply 
> disagreeing about how common the requirement to provide remote mail access 
> is...?

I believe that we are.

> We all draw from past experiences; almost every company I've worked with 
> has wanted remote mail access (90% plus), but only 25% or so wanted to go 
> to a VPN or equivalent, although the latter is becoming more common 
> nowadays.

I've been staunchly anti-VPN for a good number of years so far, and I 
can't say that my experiences aren't that >90% of places are looking at, 
deploying or already have some sort of VPN access.

> It's true that the mail relay/reader box (or boxes; they don't have to be 
> the same) has to be able to authenticate users, and you have to maintain 
> the list as people join and leave.
>
> This would be true of any mail system (even one used internally), however.

There's a distinct difference between boxes MUAs connect to and gateways 
that the entire world might connect to- again we get to MJR's point about 
complexity and security systems.

> > Now people will send and receive mail on machines that
> > the company doesn't own which may be trojaned...
>
> Why wouldn't the company own their machines?

You had the mail going out to an ISP-run MX box- I'm assuming the company 
doesn't own the ISP (farily typical of organizations which aren't part of 
a state or local government in my experience.)

> If you want to provide complete internal access from a fixed remote 
> location, then a VPN is a great solution.  If you only want to provide 
> email access from random rather than predetermined remote locations, VPNs 
> seem less well suited.

Given that a lot of VPN solutions stop external connectivity to the box 
hitting the trusted service, I disagree.

> > > Would plain text be better under any circumstances?  (If so, why?)
> >
> > Plain text is better under circumstances where you're doing things with
> > the data that don't have the ability to get the key, where local legal
> > requirements make encryption prohibitive, where you want someone to access
> > the data,
>
> These requirements you mention are orthogonal to the issue of whether 
> encrypted passwords are better than plain text passwords from the 
> standpoint of security.

Admittedly a very corner case, but not from an information warfare 
perspective- disinformation is as much a part of security in some realms 
as information.

> > > FEATURE(`nocanonify') and relay email to your ISP's mailserver rather 
> > > than
> > > doing DNS lookups locally?
> >
> > That would require all mail to be relayed, kind of taking away the value
> > of the TLS unless you're in an organization that only has one or two
> > domains- if the intent is for employees to be able to mail to other
> > employees, the privacy is probably as important as the authentication, no?
>
> Why would you do that?  Of course you wouldn't relay internal mail outside!

I spent a lot of the last few years working at or with very large 
companies, where figuring out what was "internal" wasn't trivial even 
based on address- that's why adding an ISP's mailserver is to me not a 
good option- it's been my experience that it's easier to have mail 
intercepted at an ISPs server than it is off a backbone link.

> However, all Internet-bound email is going to be relayed outside in any 
> event, thus your mailserver(s) can avoid performing DNS lookups by handing 
> the mail to the ISP's mailserver(s), instead.

Would that all the networks I inherited over there years  were so simply 
crafted.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards