Re: Cisco PIX fixup protocol command

[Jamie Pratt <jamie () nucdc org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The fixup means that it will add stateful connection tracking to the
protocol/port you desire. This keeps the firewall from using more
resources than necessary, and I would imagine speeds things up as well.
~ As far as SMTP goes, it's often recommended NOT to use it - Basically,
commands like EHLO (instead of HELO, which MANY mail clients use
instead) will not work, ESMTP breaks, etc, etc.. (At least on Qmail
servers anyhow - not sure about the others - it also hides the SMTP
banner with XXXX's, which is good of course, but at the expense of
[possibly] losing email, depending on your mail server type.)

As far as security implications of 'no fixup', I'm guessing the
tcp-sequencing numbers would probably be easier to guess, which as most
know, is a difficult way to hack a firewall anyhow...  - personally, I
would think it would be more secure, not less..? (I could be wrong..
comments?)

the syntax of 'no fixup protocol service port', basically means to treat
that port/service/protocol as non-stateful, meaning all the packets will
have to traverse the ruleset, just adding overhead to the firewall in
general.  I may be wrong here, but I believe that is really all there is
to it...

there is a mailing list out there called fw-wiz, or 'firewall wizards',
(not sure of the URL sorry) which is probably better able to answer this
in more detail..

regards,
jamie

S.Rohit wrote:

| hi everyone....
|
|    might sound like a very stupid question to ask, but i am looking
for info
| on wat is the use of fixup protocol commands on the Cisco PIX device.
wat is
| the exact usage and significance of this commands? and wat are the
security
| implications of this command? i know that some fixup's like say fixup
protocol
| smtp are good cos of the way they restrict the SMTP command set but
how about
| the general syntax [no] fixup protocol [service] [port]? what is this
used for
| and wat are the security implications for this?
|
|    i am asking this because i'm seeing a recommendation in some PIX
hardening
| guide to disable fixups or they flag fixups as a security issue? y is
tat?
|
| rohit
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAKnkAFnM/ewGVQ7IRAh+/AJ9YK21FgBto+d2wzVesZ6VMWOY/jQCeOJqb
Bx71GObl/YaaYWHi829mz1w=
=HfLd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------