Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

Sat, 05 May 2001 21:09:47 -0700 

True, true.  Good point.  Of course, you can always disable all the fixups
;-)'

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/



""Carroll Kong""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 11:37 PM 5/5/01 -0400, Jason Roysdon wrote:
> >Huh?  How would the PIX fixups possibly lead to security holes?  They're
> >there to protect the end device and only allow in the RFC commands (which
> >can actually be a pain, like with SMTP mailguard being too strict for
SMTP
> >authentication on Exchange).  I don't see how this can be a security
hole,
> >but prevents them on flawed/badly coded end devices.
> >
> >--
> >Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
> >List email: [EMAIL PROTECTED]
> >Homepage: http://jason.artoo.net/
> >
> >""Carroll Kong""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > At 10:44 AM 5/4/01 -0400, Jim Brown wrote:
> >
> > > The Pix does a bit more (mini-proxy like actions like 'fixups'), so it
> > > actually lends itself to be slightly more vulnerable than say an
OpenBSD
> > > box + IPFilter.
>
> Anytime you try to do more than simple layer 3 packet filtering you are
> running into dangerous territory.  Anytime you try to touch the layer 7
> (fix up / quasi proxy), you are asking for possible danger.
>
> Good security sense due to experience from programming knows, less
> features, less bugs, less exploits despite their best intentions.
>
>
http://www.securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3
D2133
>
> In theory, you are right.  In theory, firewalls + proxies create a
powerful
> security environment.  However, in theory of security, you cannot fully
> trust anything, that rule should supercede the other two.  (and of course
> bad users are the ultimate weak link, but I digress).
>
> If an exploit has happened once, do not think it cannot happen again.
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3350&t=2878
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to