|
Firewall Wizards
mailing list archives
Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Thu, 19 May 2005 09:57:42 -0400
On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:
On Tue, 17 May 2005, Martin wrote:
"Be liberal in what you accept; be strict in what you send."
_All_ effective security controls break that tenet. The more liberal
your
controls, the more risk you assume.
There is more to an effective security control than only denying stuff!
I think you're over-valuing the utility of "deep protocol inspection",
Paul, and you seem to be ignoring the risks of denying legitimate
connections which should have been permitted.
An effective security measure needs to implement the security policy.
It needs to permit the types of access that legitimate users are
allowed to have, for the system-- meaning the network, the firewall,
and the server(s) or other equipment being used-- to work correctly.
This is just as important as denying access to stuff that is not
permitted by the security policy.
Has "fixup protocol smtp 25" actually done much to prevent a vulnerable
M$ Exchange box from being owned, or helped control the flow of
spammy/virusized traffic significantly? Does it help control outbound
malicious SMTP traffic? Has it ever happened that a firewall itself
ends up with buffer overflow bugs in it's own code, trying to implement
all the per-protocol stuff?
If you want to manage SMTP securely, blocking port 25 in both
directions while permitting only your MX box(es) through would do a
heck of a lot more good than the protocol inspection does.
--
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
