Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint fire wall]
From: "Corey J. Steele" <csteele () good-sam com>
Date: 26 Feb 2002 10:29:19 -0600

Peter,

One more thing I was thinking of... wouldn't it make quite a bit of
difference as to what the value of the "proxy_behind" token in
/etc/iscan/intscan.ini is set to?  I've got mine set to no, and have
told InterScan that it is not to act as a proxy but rather it is to pass
proxy requests off to localhost:3128, thus InterScan only scans http
traffic coming to and going from that proxy server (in this case, this
is our parent proxy server, so everything coming from one of the child
proxies goes here first -- to be scanned and to check the parent cache.)

Not sure if this clears it up, but basically I believe this is a
"proper" configuration, furthermore, we've stopped several viruses with
this configuration in place, and it is not suceptible to the CONNECT
flaw that Interscan seems to otherwise be suceptible to.

Best Regards,
Corey

On Mon, 2002-02-25 at 15:50, Peter Bieringer wrote:
--On Monday, February 25, 2002 03:26:16 PM -0600 "Corey J. Steele"
<csteele () good-sam com> wrote:

We have VirusWall listening on port 8080, and then sending
non-viruslaced requests to a SmartFilter-enabled SQUID proxy.  All
systems are Linux based -- most are Red Hat 6.2, with latest
applicable patches.  We built squid ourselves to include
SmartFilter.

Hopefully this helps... 


Hmm, will you say that if interscan uses as second stage a squid, the
interscan HTTPS-proxy is disabled?

Otherwise following message should be imho displayed after a CONNECT:
 HTTP/1.0 200 Connection established
 Proxy-agent: InterScan 2.0


[csteele () ws47619 csteele]$ telnet viruswall 8080
Trying XXX.XXX.XXX.XXX...
Connected to viruswall.
Escape character is '^]'.
CONNECT mailserver:25 / HTTP/1.0

HTTP/1.0 403 Forbidden

For me it looks like more:

client -> squid -HTTP-> viruswall -> internet
                -CONNECT -> internet


But this is what I understand you've described:

client -> interscan -> squid -HTTP->  -> internet
                             -CONNECT -> internet


TIA,
        Peter
-- 
Information Security Analyst
Good Samaritan Society
e-mail: csteele () good-sam com
voice: (605) 362-3899
PGP Key fingerprint = 564F 2A97 2ADA F492 F34C  8E4A 12AF 9DC3 400E 2DD6

  By Date           By Thread  

Current thread:
  • RE: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint fire wall] Corey J. Steele (Mar 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]