Firewall Wizards mailing list archives
Re: A fun smackdown...
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 19 May 2005 19:01:37 -0400 (EDT)
On Fri, 20 May 2005, Devdas Bhagat wrote:
On 19/05/05 17:32 -0400, Paul D. Robertson wrote: <snip>I used Cisco's proxying of SMTP as a well-known example of a "security feature" which breaks legitimate protocol extensions (ESMTP), yetThat's the point; You stop things (I don't think it really "breaks it," since it should default to HELO instead of EHLO- so "doesn't allowYes it does. Minimally, it breaks the requirement that the server advertise its fully qualified hostname to the remote SMTP client in the greeting.
I'd read Chuck's message to say that it doesn't allow ESMTP, which is different than breaking it, as you can simply downgrade to SMTP.
increased functionality" is probably more accurate.) Heck, I try not toThe increased functionality enhances security by allowing for 1> SMTP AUTH 2> TLS 3> being able to reject before 'data' based on size as offered by the client. (otherwise you have to accept all the data and that can lead to a DoS). 4> Catching broken spamware and proxies which spew out SMTP protocol stuff before responses without offering EHLO and explicitly being offered pipelining.
I'm not arguing that ESMTP doesn't have useful features, I'm saying that not allowing it is a valid security control, as it increases complexity (SSL layer in TLS? Auth password guessing...,) and specifically if it stops the last Exchange bug, then it's value may come to be a lot greater than previously thought for those folks who use SMTP-fixup and Exchange (editorial comments narrowly avoided.) Actually, you don't have to accept all the data, you can simply close the connection at N bytes, which you'd have to do if the client lied anyway. Also, I've seen the same spew in "legitimate" applications (specifically Delphi controls that couldn't do SMTP correctly,) which is generally where you get the most flack for adding security controls (breaks "needed functionality.")
run browsers that do ActiveX when I run a browser on a Microsoft OS, that's reduced functionality too- but I'm willing to accept it because it reduces my risk. Guards with guns stop the free flow of people, and reduce the functionality of a place- but they also reduce the risk if they're doing their jobs- and many places are happy to deploy them.doesn't seem to really improve security, but if you aren't very familiar with it, I won't insist on debating this particular example. :-)Does it stop the MS-only extensions? In that case it does provide some security value- unless you feel that overflows in SMTP verbs aren't that big a security deal...But those could be stopped by a ESMTP speaking defensive proxy as well.
Which doesn't mean the downgrade wouldn't be protective. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- A fun smackdown... Marcus J. Ranum (May 13)
- Re: A fun smackdown... Joseph S D Yao (May 15)
- Re: A fun smackdown... Martin (May 17)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- RE: A fun smackdown... Ben Nagy (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Devdas Bhagat (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Marcus J. Ranum (May 20)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Adam Shostack (May 21)
- Re: A fun smackdown... Martin (May 17)
- Re: A fun smackdown... Joseph S D Yao (May 15)
- Re: A fun smackdown... Ryan McBride (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Steven M. Bellovin (May 21)