At 11:37 PM 5/5/01 -0400, Jason Roysdon wrote:
>Huh? How would the PIX fixups possibly lead to security holes? They're
>there to protect the end device and only allow in the RFC commands (which
>can actually be a pain, like with SMTP mailguard being too strict for SMTP
>authentication on Exchange). I don't see how this can be a security hole,
>but prevents them on flawed/badly coded end devices.
>
>--
>Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
>List email: [EMAIL PROTECTED]
>Homepage: http://jason.artoo.net/
>
>""Carroll Kong"" wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > At 10:44 AM 5/4/01 -0400, Jim Brown wrote:
>
> > The Pix does a bit more (mini-proxy like actions like 'fixups'), so it
> > actually lends itself to be slightly more vulnerable than say an OpenBSD
> > box + IPFilter.
Anytime you try to do more than simple layer 3 packet filtering you are
running into dangerous territory. Anytime you try to touch the layer 7
(fix up / quasi proxy), you are asking for possible danger.
Good security sense due to experience from programming knows, less
features, less bugs, less exploits despite their best intentions.
http://www.securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3D2133
In theory, you are right. In theory, firewalls + proxies create a powerful
security environment. However, in theory of security, you cannot fully
trust anything, that rule should supercede the other two. (and of course
bad users are the ultimate weak link, but I digress).
If an exploit has happened once, do not think it cannot happen again.
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3343&t=2878
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
