Security Basics mailing list archives

Re:RE : suggestions on a good firewall

From: "Ivan Coric" <ivan.coric () workcoverqld com au>
Date: Tue, 24 Jun 2003 12:12:17 +1000

I stand corrected, CheckPoint has native support for this, as does the
PIX

Mail (SMTP) Support

While originally designed to provide maximum connectivity between users
accessing the Internet from any geographical location, the SMTP protocol
poses a challenge to the security manager who wishes to maintain
connectivity but keep intruders out of internal networks.

FireWall-1 and VPN-1 Gateways protect the network by providing highly
granular control over SMTP connections including the ability to: 

Block the relaying of SPAM through the corporate gateway 
Hide an outgoing mail's "From" address behind a standard generic
address that conceals internal network structure and real internal users

Redirect mail sent to given "To" addresses (for example, root) 
Drop mail from given addresses 
Strip attachments of given types from mail 
Strip the Received information from outgoing mail in order to conceal
internal network structure 
Drop mail messages above a given size 
Perform anti-virus scanning 
Check Point's SMTP Security Server provides the highest level of
network protection by only supporting the basic set of SMTP commands.
This increases security since FireWall-1 and VPN-1 Gateways will block
other SMTP commands that might be utilized for malicious intent.

Bourque Daniel <Daniel.Bourque () loto-quebec com> 06/24/03 12:04pm


I was just responding to the example you use.  I don't need INSPECT
code to
protect my mail server and yes, I use both products and yes again, both
are
good.


--------------------------
Daniel Bourque
BlackBerry


-----Original Message-----
From: Ivan Coric <ivan.coric () workcoverqld com au>
To: Daniel.Bourque () loto-quebec com <Daniel.Bourque () loto-quebec com>;
Willi.Web () mail4web de <Willi.Web () mail4web de>;
security-basics () securityfocus com <security-basics () securityfocus com>;
David.Ellis () unicam com <David.Ellis () unicam com>;
ivan.coric () workcoverqld com au <ivan.coric () workcoverqld com au>
Sent: Mon Jun 23 20:33:07 2003
Subject: Re: RE : suggestions on a good firewall

Daniel,
And? if you bothered to look at the thread, you would see it pertains
to whether the PIX actual inspects application data, not whether
CheckPoint does!

The PIX also does Java applet filtering, ActiveX blocking and can work
with a url-filtering server. For this to wok in must be able to look
into the packets, eh Chris?

I am not saying that the PIX is better than CheckPoint, nor that
CheckPoint is better than the PIX, rather explaining that the PIX does
actually do stateful inspection. I use CheckPoint, PIX, Netscreen and
iptables here, and IMHO they are all great products.

cheers
Ivan

Bourque Daniel <Daniel.Bourque () loto-quebec com> 06/24/03 02:45am

Correct me if I am wrong but with Checkpoint, the smtp security server
allow
you to terminate the smtp session at the fw that will in turn send it
to
your smtp mail server.

If you telnet to port 25, it's the fw talking back.

-----Message d'origine-----
De : Ivan Coric [mailto:ivan.coric () workcoverqld com au] 
Envoyé : 22 juin, 2003 19:24
À : Willi.Web () mail4web de; security-basics () securityfocus com;
David.Ellis () unicam com; ivan.coric () workcoverqld com au 
Objet : RE: suggestions on a good firewall


Lets take the SMTP protocol for example, fixup SMTP enables the mail
guard
feature which only lets mail servers receive the RFC 821 commands of
HELO,
MAIL, RCPT, DATA, RSET, NOOP and QUIT. All other commends are
rejected.

If you want to do a similar thing in CheckPoint you will need to
provide the
INSPECT code to do it.

I can netcat through my CheckPoint FW to my mail servers, web servers
etc.
Even do a HEAD request to get a banner of the web server and the CP FW
does
it happily.

cheers
Ivan

Willi Web <Willi.Web () mail4web de> 06/20/03 10:25pm >>>

The FIXUP protocol is there to correct irregular behavior in normal
protocols. For example, the FTP Fixup allows traffic in on port 20
when
the
traffic originated on 21. The SMTP fixup disallows certain SMTP
commands
that could be used for nefarious purposes. The PIX cannot shun traffic
based
on what the FIXUP protocols detect. There is no dynamic ACL creation
possible.

The PIX is not a true application level firewall. I can send NETCAT
traffic
over HTTP and the PIX will never know. Whereas the Checkpoints and
Raptors
can detect anomalies in traffic, and act on them.

--Chris


-----Original Message-----
From: Ivan Coric [mailto:ivan.coric () workcoverqld com au] 
Sent: Monday, May 26, 2003 7:42 PM
To: security-basics () securityfocus com; Christopher Harrington;
David.Ellis () unicam com 
Subject: RE: suggestions on a good firewall


HI Chris,
I beg to differ, Cisco has a command called "fixup", which is used to
set
application inspection.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configura



tion_guide_chapter09186a00800eb727.html#wp1063233


cheers



Ivan Coric
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric () workcoverqld com au

"Christopher Harrington" <charrington () syseng com> 05/25/03 12:51pm

Ok...I agree that they 2 are different firewalls. Cisco does not do
application level inspection, Checkpoint does for example.

NG fp3 came out fall of 2002 (about ??), about the same time as PIX
6.2. We
are tied :), the PIX has had 2 vulns since version 6.2 came out.

BTW I never said I disliked Checkpoint, to the contrary actually. I
just
take exceptions to incorrect statements. 

--Chris

-----Original Message-----
From: David Ellis [mailto:David.Ellis () unicam com] 
Sent: Saturday, May 24, 2003 8:53 PM
To: Christopher Harrington; security-basics () securityfocus com 
Subject: RE: suggestions on a good firewall


I am talking about the new version of checkpoint, not 4.1 or 4.0. I am
talking about NGFP3. Checkpoint doesn't even support the earlier
versions
anymore. And Cisco's Idea of stateful packet inspection is actually
reverse
engineered Checkpoint. Checkpoint developed it and even have a patent
on
stateful packet inspection technology. They even tried to bring Cisco
to
court for saying they were stateful packet inspection firewalls but
Cisco
won due to the way they worded it. Also OPSEC standards (Open Platform
for
Security) Is brought to you by Checkpoint Systems. I love Checkpoint
firewalls as you can see. :-) 
They also have a secure platform which can load on a system which runs
on a
stripped down linux and you can even go with nokia appliance which
comes
with Checkpoint NG. I personally think Cisco should stay with routers
and
switches (which they are great at).

Then look at the stats after you look up checkpoint NG fp3

# of vulns on PIX   --->  16
# of vulns on Checkpoint  ---> 2

Thanks for listening :-)

-----Original Message-----
From: Christopher Harrington [mailto:charrington () syseng com] 
Sent: Friday, May 23, 2003 1:14 PM
To: security-basics () securityfocus com 
Subject: RE: suggestions on a good firewall

Ahhh...maybe you should actually look at bugtraq before you open
yourself up
like that.

# of vulns on PIX   --->  16
# of vulns on Checkpoint  ---> 30

"A new vulnerability is found every other week"...unfounded comments
like
that do not help.

--Chris


-----Original Message-----
From: David Ellis [mailto:David.Ellis () unicam com] 
Sent: Thursday, May 22, 2003 12:34 PM
To: Potter, Tim; security-basics () securityfocus com 
Subject: RE: suggestions on a good firewall


Actually the checkpoint implied rules are not actually hidden. You
just
enable and disable through global properties, and I prefer checkpoint
over
pix cause just look at the bugtraq record on pix. A new vulnerability
is
found every other week

-----Original Message-----
From: Potter, Tim [mailto:Tim.Potter () clarkconsulting com] 
Sent: Wednesday, May 21, 2003 12:07 PM
To: security-basics () securityfocus com 
Subject: RE: suggestions on a good firewall


Actually the PIX does have a "pretty" graphical interface.  I'm not
fond of
it for many tasks, but the "PDM" can be good for someone newer to
managing a
PIX.

Also, for a cheaper hardware-based application firewall I would go
with
the
Watchguard.  My application firewall of choice would be Sidewinder or
Checkpoint, but you can't beat the cost of the Watchguard.  Older
versions
of the firmware required a reboot for every change, but they have
gotten
much better with the newest firmware.

-Tim

-----Original Message-----
From: Mark Ng [mailto:laptopalias1-mark () informationintelligence net] 
Sent: Tuesday, May 20, 2003 11:56 AM
To: salgak () speakeasy net; security-basics () securityfocus com 
Subject: RE: suggestions on a good firewall


Agreed.

A Windows box, properly locked down, can be a reliable firewall.


There's an element of truth to that - but I'm not sure I'd want to be
the
person locking it down or keeping up to date with patches ;).  I also
wouldn't recommend Windows unless in an HA pair.

There's also a very strong argument for openbsd and PF too (stability,
proven track record of security) - however, it's not as manageable as
some
other solutions.

Locking it down can be a chore, a much easier chore with Win2003 
server, but still takes some expertise and finesse.  I prefer


I've not yet had any experience with 2k3, so I can't possibly comment.

hardware firewalls with a firmware basis, as they're harder to 
exploit, but many brands have reliability issues.  I'm currently 
running Checkpoint and Gauntlet on Solaris, but this is a production

environment I've inherited.


If you're in the hardware firewall market, I quite like Netscreen and
PIX.
Netscreen had some issues with some software upgrades being a bit
buggy
some
time recently though iirc, but on the whole, they're fairly solid
firewalls
that are easy to administer.  PIX's of course don't have the pretty
graphical interface, but are solid firewalls.  I don't like
Checkpoint,
any
firewall that comes by default with "Hidden Implied Rules" doesn't
wash
with
me (is this still the case with newer versions of Checkpoint ?)


For a good, relatively inexpensive firewall, I'd recommend the 
Linux-Mandrake firewall solution, running on commodity Intel

hardware.

Simple to set up, fairly easy to run, easy to maintain.


Smoothwall definitely has its merits in this arena - and by extension
I'd
imagine IPcop does too.

2. What can my sysadmin handle ?  A Junior MCSE handed a

To be honest, I don't really think an MCSE with small amounts of job
experience should ever be handed main security responsibility.
There's
merit to outsourcing security functions in this event if you're too
small to
justify full time security staff or experienced systems administrators
with
security experience. Any firewall configured badly is a bad firewall,
be it
IPcop, Smoothwall, OpenBSD/PF , Checkpoint or whatever.

Regards,

Mark

------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes: Security +, Check
Point, Hacking & Assessment, Cisco Security, Wireless Security & more!
Register
Now! --UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------
----

------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

************************************************************************
**************************
** eSafe-portsmouth scanned this email for viruses, vandals and
malicious
content **
************************************************************************
**************************

------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes: Security +, Check
Point,
Hacking & Assessment, Cisco Security, Wireless Security & more!
Register
Now! --UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------
----

************************************************************************
***
Messages included in this e-mail and any of its attachments are those
of the
author unless specifically stated to represent WorkCover Queensland.
The
contents of this message are to be used for the intended purpose only
and
are to be kept confidential at all times. This message may contain
privileged information directed only to the intended addressee/s.
Accidental
receipt of this information should be deleted promptly and the sender
notified. This e-mail has been scanned by Sophos for known viruses.
However,
no warranty nor liability is implied in this respect.
**********************************************************************

---------------------------------------------------------------------------
----------------------------------------------------------------------------

***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the
author unless specifically stated to represent WorkCover Queensland.
The
contents of this message are to be used for the intended purpose only
and
are to be kept confidential at all times. This message may contain
privileged information directed only to the intended addressee/s.
Accidental
receipt of this information should be deleted promptly and the sender
notified. This e-mail has been scanned by Sophos for known viruses.
However,
no warranty nor liability is implied in this respect.
**********************************************************************

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while
InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover
Queensland.
The contents of this message are to be used for the intended purpose
only
and are to be kept confidential at all times.
This message may contain privileged information directed only to the
intended addressee/s. Accidental receipt of this information should be
deleted promptly and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************

***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used
for the intended purpose only and are to be kept confidential at all times.
This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this
information should be deleted promptly and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

RE : suggestions on a good firewall Bourque Daniel (Jun 24)
- <Possible follow-ups>
- Re:RE : suggestions on a good firewall Ivan Coric (Jun 24)
- Re:RE : suggestions on a good firewall Bourque Daniel (Jun 24)