NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] RBL List?



> There are no "open ports" on my firewall. The person who sends our
> organization e-mail never even sends it to my firewall's address.
> They're sending to a mail server's address. The SMTP is pulled off,
> intercepted by the firewall and redirected.
I apologize for the confusion but I was not referring specifically to
the SMTP security server when I mentioned open ports. In the case of the
HTTP security server, the firewall is often configured to act as a proxy
for HTTP connections. In such a case you do, in fact, connect directly to
the firewall which I see as a serious problem.

> How is that different from
> going through the firewall directly a mail server? Answer, it's not.
If there was no difference, then why bother with the SMTP security server
at all?

If all you are using the SMTP security server for is CVP, then you are
better off just letting your mail relay handle this in the first place.

If you configure the SMTP security server to look at the email in some
way, for example to strip attachments or verify sender domains, etc. you
are introducing user provided data to a firewall process. I still feel
this is a bad idea.

I was not trying to criticize your configuration. I would simply like
someone to give me a justification for the security servers.

In anything but the smallest environment, they simply do not seem to have
a place. This especially true when you consider the memory footprints of
the servers, and that they have leaked memory in the past.

> Fact is, no one can even "see" my firewall, let alone send it a packet
> directly. No open ports, nada.
Excellent. You have no Secure Remote users? No user authentication?

Alas most of the firewalls I work with have VPN users and that means open
ports on the firewall.

> With FW-1, I can pull off SMTP and send it to any one of a number of
> spam servers, and sometimes mail servers, depending on which of the 156
> mail servers it is destined to go to.
This is exactly my problem. You are using user provided data (the email
and its destination) and making a decision (in this case an SMTP routing
decision) based on that data. To do this, the firewall has to understand
the data it sees (the email). That means parsing the message and a lot
more code that could contain potential vulnerabilities.

If a mail relay gets compromised, that is one system. If the firewall gets
compromised... oh well.

In the end, I simply see no advantadge to using the security servers in
anything but the smallest environment. In a small company they can make
more sense than setting up a completely seperate mail relay or web proxy.
In a large company, however, seperate systems would seem to result in
more compartmentalized security and better performance.

After all, if CheckPoint really knew how to write an MTA or a web proxy,
why wouldn't they sell it?

Please understand that these are simply my personal feelings on the issue.
I think firewalls have gotten ridiculously bloated. Firewall vendors want
you to believe that their product can solve every security problem your
company may encounter. I think a firewall should be a firewall, a mail
relay should be a mail relay, a web proxy should be a web proxy, etc.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.