RE: Cisco PIX fixup protocol command

["Christopher Black" <cblack () cc3 com>]

The fixup commands in a PIX are designed to allow a higher level of
control to the ports that are opened for traffic.  Take the SMTP Fixup
for example.

Normal ALC rules for e-mail would allow port 25,  This is an OSI layer 4
firewall rule.  You define the src, dst and the port.  The fixup
protocol takes this a step further and only allow the basic 7 commands
for SMTP traffic to be sent over port 25, thus working at the higher
levels of the OSI model.  So they are not short cuts.  A short cut would
be to add a rule such as:

A list of the commands that the fixup allows can be viewed at Cisco's
web site.

Access-list acl-in permit tcp any any eq 25

Hope that helps

Chris 

> -----Original Message-----
> From: kawaii ryuko [mailto:trunks () stackers org] 
> Sent: Wednesday, February 11, 2004 1:23 PM
> To: security-basics () securityfocus com
> Subject: Re: Cisco PIX fixup protocol command
>
> From: "S.Rohit" <s.rohit () usa net>
> Sent: Wednesday, February 11, 2004 05:52
>
>
> > hi everyone....
> >
> >    might sound like a very stupid question to ask, but i am 
> looking for
> info
> > on wat is the use of fixup protocol commands on the Cisco 
> PIX device. wat
> is
> > the exact usage and significance of this commands? and wat are the
> security
> > implications of this command? i know that some fixup's like 
> say fixup
> protocol
> > smtp are good cos of the way they restrict the SMTP command 
> set but how
> about
> > the general syntax [no] fixup protocol [service] [port]? 
> what is this used
> for
> > and wat are the security implications for this?
>
> Good firewall policy means you know /exactly/ what ports are 
> open and what
> you are allowing through. Unless you are using a specific 
> fixup service, it
> is best to turn them off. Personally, I like to turn off all 
> fixup protocols
> and then open up ports as need be.
>
> The fixup series of commands are basically shortcuts that let 
> you open up a
> service without having to go through all the individual ports (if I
> understand it correctly.)
>
> > rohit
>
> Ever lovable and always scrappy,
> kawaii
>
>
> --------------------------------------------------------------
> -------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus 
> Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------