[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] RBL List?
> There are no "open ports" on my firewall. The person who sends our > organization e-mail never even sends it to my firewall's address. > They're sending to a mail server's address. The SMTP is pulled off, > intercepted by the firewall and redirected. I apologize for the confusion but I was not referring specifically to the SMTP security server when I mentioned open ports. In the case of the HTTP security server, the firewall is often configured to act as a proxy for HTTP connections. In such a case you do, in fact, connect directly to the firewall which I see as a serious problem. > How is that different from > going through the firewall directly a mail server? Answer, it's not. If there was no difference, then why bother with the SMTP security server at all? If all you are using the SMTP security server for is CVP, then you are better off just letting your mail relay handle this in the first place. If you configure the SMTP security server to look at the email in some way, for example to strip attachments or verify sender domains, etc. you are introducing user provided data to a firewall process. I still feel this is a bad idea. I was not trying to criticize your configuration. I would simply like someone to give me a justification for the security servers. In anything but the smallest environment, they simply do not seem to have a place. This especially true when you consider the memory footprints of the servers, and that they have leaked memory in the past. > Fact is, no one can even "see" my firewall, let alone send it a packet > directly. No open ports, nada. Excellent. You have no Secure Remote users? No user authentication? Alas most of the firewalls I work with have VPN users and that means open ports on the firewall. > With FW-1, I can pull off SMTP and send it to any one of a number of > spam servers, and sometimes mail servers, depending on which of the 156 > mail servers it is destined to go to. This is exactly my problem. You are using user provided data (the email and its destination) and making a decision (in this case an SMTP routing decision) based on that data. To do this, the firewall has to understand the data it sees (the email). That means parsing the message and a lot more code that could contain potential vulnerabilities. If a mail relay gets compromised, that is one system. If the firewall gets compromised... oh well. In the end, I simply see no advantadge to using the security servers in anything but the smallest environment. In a small company they can make more sense than setting up a completely seperate mail relay or web proxy. In a large company, however, seperate systems would seem to result in more compartmentalized security and better performance. After all, if CheckPoint really knew how to write an MTA or a web proxy, why wouldn't they sell it? Please understand that these are simply my personal feelings on the issue. I think firewalls have gotten ridiculously bloated. Firewall vendors want you to believe that their product can solve every security problem your company may encounter. I think a firewall should be a firewall, a mail relay should be a mail relay, a web proxy should be a web proxy, etc. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|