Security Basics mailing list archives
RE: Cisco PIX fixup protocol command
From: "d'Ambly, Jeff" <jdambly () monster com>
Date: Thu, 12 Feb 2004 14:23:43 -0500
The fixup protocol is for application inspection for example the HTTP fixup limits the amount of outbound http connection. It also inspects the HTTP requests to make sure they are formed correctly. The SMTP fixup works in a similar fashion. If you have it enable and you try to send a non-standard SMTP command to the server. The firewall changes the command to XXXX. Even if you have fixup enabled you still have to make entries in an access-list. I would suggest that you do some reading at cisco.com. -----Original Message----- From: kawaii ryuko [mailto:trunks () stackers org] Sent: Wednesday, February 11, 2004 1:23 PM To: security-basics () securityfocus com Subject: Re: Cisco PIX fixup protocol command From: "S.Rohit" <s.rohit () usa net> Sent: Wednesday, February 11, 2004 05:52
hi everyone.... might sound like a very stupid question to ask, but i am looking for
info
on wat is the use of fixup protocol commands on the Cisco PIX device. wat
is
the exact usage and significance of this commands? and wat are the
security
implications of this command? i know that some fixup's like say fixup
protocol
smtp are good cos of the way they restrict the SMTP command set but how
about
the general syntax [no] fixup protocol [service] [port]? what is this used
for
and wat are the security implications for this?
Good firewall policy means you know /exactly/ what ports are open and what you are allowing through. Unless you are using a specific fixup service, it is best to turn them off. Personally, I like to turn off all fixup protocols and then open up ports as need be. The fixup series of commands are basically shortcuts that let you open up a service without having to go through all the individual ports (if I understand it correctly.)
rohit
Ever lovable and always scrappy, kawaii --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Cisco PIX fixup protocol command S . Rohit (Feb 11)
- Re: Cisco PIX fixup protocol command Jamie Pratt (Feb 12)
- Re: Cisco PIX fixup protocol command Brian Ford (Feb 12)
- RE: Cisco PIX fixup protocol command Joey Peloquin (Feb 13)
- Re: Cisco PIX fixup protocol command kawaii ryuko (Feb 12)
- Re: Cisco PIX fixup protocol command erisk (Feb 13)
- <Possible follow-ups>
- RE: Cisco PIX fixup protocol command Chris Curtiss (Feb 12)
- Re: Cisco PIX fixup protocol command James Turnbull (Feb 13)
- RE: Cisco PIX fixup protocol command d'Ambly, Jeff (Feb 12)
- RE: Cisco PIX fixup protocol command Stefan Greve (Feb 12)
- RE: Cisco PIX fixup protocol command Rosenhan, David (Feb 12)
- Re: Cisco PIX fixup protocol command Ivan Coric (Feb 13)
- Re: Cisco PIX fixup protocol command erisk (Feb 13)
- RE: Cisco PIX fixup protocol command Christopher Black (Feb 13)
- Re: Cisco PIX fixup protocol command Jamie Pratt (Feb 12)