Re: about viruswall?

[chort <chort () amaunetsgothique com>]

On Wed, 2003-09-10 at 08:50, Gabriel Orozco wrote:
> Thanks, Sebastian
>
> It was the concept what I did not understood, since as you pointed, I use
> Linux + QMail + qmailscan + fprot to scan virus, and in the chain of events,
> no email will pass without being checked for virus first.
>
> I update twice every hour, and since I had no problems with email more than
> the tons of warnings of viruses deleted I receive from qmailscan since I'm
> the postmaster.
>
> so, this is the same concept of a Viruswall. Then I keep saying the same:
> With an antivitus running in your SMTP server is more than enough.
>
> but you first need to choose carefully which solution to use. It seems that
> Linux+{QMail | Postfix | Exim | Sendmail } is a better way to go
>
> Best Regards
> Gabriel

That is a very good solution, but I would still say that it's better in
principle to scan incoming traffic of any kind in the DMZ, before
allowing it to your internal network.  I'm loath to let any protocols
have direct access to the internal net and the internal machines, simply
because a single compromise will essentially open your entire network to
attack.

Even "secure" boxes can be compromised, as hinted at by the latest
patches for OpenSSH.  I'm very glad I discontinued ssh access from the
outside to my internal net, and instead forced it to terminate in the
DMZ (with no DMZ -> LAN access).  The latest Sendmail exploits are
another excellent reason why not to allow traffic directly into your
internal net.

Of course, due to budget, topology, politics, etc it's not always
possible to setup your network like that, but it is the "best practice"
(that goes for any service, HTTP, FTP, DNS, etc).
 
-- 
Brian Keefer


---------------------------------------------------------------------------
----------------------------------------------------------------------------