Re: A fun smackdown...

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 20 May 2005, Devdas Bhagat wrote:

> On 19/05/05 17:32 -0400, Paul D. Robertson wrote:
> <snip>
> > > I used Cisco's proxying of SMTP as a well-known example of a "security
> > > feature" which breaks legitimate protocol extensions (ESMTP), yet
> >
> > That's the point;  You stop things (I don't think it really "breaks it,"
> > since it should default to HELO instead of EHLO- so "doesn't allow
>
> Yes it does. Minimally, it breaks the requirement that the server
> advertise its fully qualified hostname to the remote SMTP client in the
> greeting.

I'd read Chuck's message to say that it doesn't allow ESMTP, which is
different than breaking it, as you can simply downgrade to SMTP.

> > increased functionality" is probably more accurate.)  Heck, I try not to
>
> The increased functionality enhances security by allowing for
> 1> SMTP AUTH
> 2> TLS
> 3> being able to reject before 'data' based on size as offered by the client.
> (otherwise you have to accept all the data and that can lead to a DoS).
> 4> Catching broken spamware and proxies which spew out SMTP protocol
> stuff before responses without offering EHLO and explicitly being
> offered pipelining.

I'm not arguing that ESMTP doesn't have useful features, I'm saying that
not allowing it is a valid security control, as it increases complexity
(SSL layer in TLS?  Auth password guessing...,) and specifically if it
stops the last Exchange bug, then it's value may come to be a lot greater
than previously thought for those folks who use SMTP-fixup and Exchange
(editorial comments narrowly avoided.)

Actually, you don't have to accept all the data, you can simply close the
connection at N bytes, which you'd have to do if the client lied anyway.

Also, I've seen the same spew in "legitimate" applications (specifically
Delphi controls that couldn't do SMTP correctly,) which is generally where
you get the most flack for adding security controls (breaks "needed
functionality.")

> > run browsers that do ActiveX when I run a browser on a Microsoft OS,
> > that's reduced functionality too- but I'm willing to accept it because it
> > reduces my risk.
> >
> > Guards with guns stop the free flow of people, and reduce the
> > functionality of a place- but they also reduce the risk if they're doing
> > their jobs- and many places are happy to deploy them.
> >
> > > doesn't seem to really improve security, but if you aren't very
> > > familiar with it, I won't insist on debating this particular example.
> > > :-)
> >
> > Does it stop the MS-only extensions?  In that case it does provide some
> > security value- unless you feel that overflows in SMTP verbs aren't that
> > big a security deal...
>
> But those could be stopped by a ESMTP speaking defensive proxy as well.

Which doesn't mean the downgrade wouldn't be protective.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards