Fellow Firewallers,
At 05:43 PM 5/23/2001 +0000, Chris Tobkin belched:
>The ability to queue the
>message/file/response to disk and check it in its entirety is something
>that is not available with PIX because it only makes sure that the
>request and response comply with Cisco's interpretation the RFC's.
I guess it comes down to your interpretation of how far into the data
stream an "application firewall" should check. ;-)
The PIX Mail Guard (Fixup protocol smtp command) works on traffic coming
from a less secure interface (aka the outside) to a more secure interface
(aka the inside). That also could be outside to a perimeter network. It
looks at traffic arriving on port 25 (the SMTP port). It looks inside the
packets at the SMTP commands (that are part of the data payload). If it
sees one of the commands that the Mail Guard does not support (as per RFC
821 the supported commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and
QUIT) it drops and logs offending command and info about the packet via Syslog.
My guess is we can't do what Chris proposed because we don't have a disk
inside the PIX.
BTW, most SMTP mail transfers through a PIX with Mail Guard enabled still
work as all the required commands get through.
Does Mail Guard work with ESMTP? No. That's because there is no real
consensus that we (Cisco) can work from (i.e. no updated RFC 821) about how
to secure ESMTP. That was until RFC 2821, which is now a draft that
revises SMTP! Yahoo!
Regards for Shanghai China,
Brian
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
