Re: Cisco PIX fixup protocol command

[Brian Ford <brford () cisco com>]

Jamie,

> The fixup means that it will add stateful connection tracking to the
> protocol/port you desire. This keeps the firewall from using more
> resources than necessary, and I would imagine speeds things up as well.

This is incorrect.  The PIX is a stateful firewall and maintains state on 
all traffic going through the Firewall; whether a fixup exists or 
not.  Note that this is "going through".  The PIX maintains state of 
connections for traffic that was passed.  The PIX doesn't maintain state 
for traffic that was dropped (because there is no connection).

The use of fixups has no significant impact on resources.  In some 
instances where addresses are be translated the PIX might temporarily 
allocate some memory to make a copy of packet.

The use of fixups usually impacts performance based on the ratio of packets 
that match the protocol type versus the total amount of traffic that is 
being passed and based on the fixups (some do more than others).

The reason why a security evaluation might result in a recommendation to 
remove certain PIX fixups is simple.  The evaluation may have found that 
there was no need for those types of traffic to be processed through the 
firewall.  If you have a security policy that does not permit SMTP; there 
is no need to have the SMTP fixup enabled.

I hope this helps.

Liberty for All,

Brian

At 01:48 PM 2/11/2004 -0500, Jamie Pratt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The fixup means that it will add stateful connection tracking to the
> protocol/port you desire. This keeps the firewall from using more
> resources than necessary, and I would imagine speeds things up as well.
> ~ As far as SMTP goes, it's often recommended NOT to use it - Basically,
> commands like EHLO (instead of HELO, which MANY mail clients use
> instead) will not work, ESMTP breaks, etc, etc.. (At least on Qmail
> servers anyhow - not sure about the others - it also hides the SMTP
> banner with XXXX's, which is good of course, but at the expense of
> [possibly] losing email, depending on your mail server type.)
>
> As far as security implications of 'no fixup', I'm guessing the
> tcp-sequencing numbers would probably be easier to guess, which as most
> know, is a difficult way to hack a firewall anyhow...  - personally, I
> would think it would be more secure, not less..? (I could be wrong..
> comments?)
>
> the syntax of 'no fixup protocol service port', basically means to treat
> that port/service/protocol as non-stateful, meaning all the packets will
> have to traverse the ruleset, just adding overhead to the firewall in
> general.  I may be wrong here, but I believe that is really all there is
> to it...
>
> there is a mailing list out there called fw-wiz, or 'firewall wizards',
> (not sure of the URL sorry) which is probably better able to answer this
> in more detail..
>
> regards,
> jamie
>
> S.Rohit wrote:
>
> | hi everyone....
> |
> |    might sound like a very stupid question to ask, but i am looking
> for info
> | on wat is the use of fixup protocol commands on the Cisco PIX device.
> wat is
> | the exact usage and significance of this commands? and wat are the
> security
> | implications of this command? i know that some fixup's like say fixup
> protocol
> | smtp are good cos of the way they restrict the SMTP command set but
> how about
> | the general syntax [no] fixup protocol [service] [port]? what is this
> used for
> | and wat are the security implications for this?
> |
> |    i am asking this because i'm seeing a recommendation in some PIX
> hardening
> | guide to disable fixups or they flag fixups as a security issue? y is
> tat?
> |
> | rohit
> |
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFAKnkAFnM/ewGVQ7IRAh+/AJ9YK21FgBto+d2wzVesZ6VMWOY/jQCeOJqb
> Bx71GObl/YaaYWHi829mz1w=
> =HfLd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> ----------------------------------------------------------------------------


Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/

The opinions expressed in this message are those of the author and not 
necessarily those of Cisco Systems, Inc..

This email address is transmitted from San Jose, California, U.S.A..



---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------