Re: A fun smackdown...

[Chuck Swiger <chuck () codefab com>]

On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:
> On Tue, 17 May 2005, Martin wrote:
> > "Be liberal in what you accept; be strict in what you send."
>
> _All_ effective security controls break that tenet.  The more liberal 
> your
> controls, the more risk you assume.

There is more to an effective security control than only denying stuff! 
 I think you're over-valuing the utility of "deep protocol inspection", 
Paul, and you seem to be ignoring the risks of denying legitimate 
connections which should have been permitted.

An effective security measure needs to implement the security policy.  
It needs to permit the types of access that legitimate users are 
allowed to have, for the system-- meaning the network, the firewall, 
and the server(s) or other equipment being used-- to work correctly.  
This is just as important as denying access to stuff that is not 
permitted by the security policy.

Has "fixup protocol smtp 25" actually done much to prevent a vulnerable 
M$ Exchange box from being owned, or helped control the flow of 
spammy/virusized traffic significantly?  Does it help control outbound 
malicious SMTP traffic?  Has it ever happened that a firewall itself 
ends up with buffer overflow bugs in it's own code, trying to implement 
all the per-protocol stuff?

If you want to manage SMTP securely, blocking port 25 in both 
directions while permitting only your MX box(es) through would do a 
heck of a lot more good than the protocol inspection does.

--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards