your mail

Alex P. Rudnev alex at Relcom.EU.net
Wed Sep 22 16:13:29 UTC 1999


I'd like to say, that people usially overestimate the power of the 
firewalls and the necessety of the complex server-based firewalls - and 
underestimate the importance of the _rules_ they follow to in their 
labs... I saw a few cases when an expansive PIX firewall was choosen and 
installed, and a lot of headache created for the innocent users - and 
nothin was done against the macro-viruses or NT BO trojans... And it's 
more important to have _any_ firewall than do not have it at all.

CISCO CW IOS is just such thing - even usial ACL-s allow to protect 
network against the usial _network scanners and exploit users_ - and FW 
ios with the additional protection allow you to have good L2 - L3 and 
sometimes L4 protection (I mean OSI levels). Through nothing (except the 
simple wire cutter) can protect against the crazy users inside the 
company...

On Wed, 22 Sep 1999, Stephen Sprunk wrote:

> Date: Wed, 22 Sep 1999 10:38:30 -0500
> From: Stephen Sprunk <ssprunk at cisco.com>
> To: "Alex P. Rudnev" <alex at relcom.EU.net>,
>     Gerry McDonald <gerry at injectronics.com>
> Cc: nanog at merit.edu
> Subject: Re: your mail
> 
> 
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
> t/120t5/iosfw2/iosfw2_2.htm#xtocid1359543
> 
> SMTP Messages
> 
> CBAC detects and blocks SMTP attacks (illegal SMTP commands) and notifies
> you when SMTP attacks occur. Error messages such as the following may
> indicate that an SMTP attack has occurred:
> 
> %FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator
> (192.168.12.3:52419)
> 
> 
> Looks like it does do that after all...
> 
> IOS FW also monitors HTTP, CU-SeeMe, FTP, H.323, NetShow, r-commands,
> RealAudio, Sun RPC, SQL*Net, StreamWorks, TFTP, VDOLive, and generic TCP/UDP
> sessions in addition to SMTP.  It also protects against fragment attacks,
> SYN attacks, ACK attacks, and bogus TCP sequence numbers.
> 
> Randy: ip inspect name firewall smtp
> 
> S
> 
> 
> Stephen Sprunk, K5SSS, CCIE#3723
> Network Consulting Engineer
> Cisco NSA   Dallas, Texas, USA
> e-mail:ssprunk at cisco.com
> Pager: +1 800 365-4578
> Empowering the Internet Generation
> 
> 
> ----- Original Message -----
> From: Alex P. Rudnev
> To: Gerry McDonald
> Cc: nanog at merit.edu
> Sent: Wednesday, September 22, 1999 5:37
> Subject: Re: your mail
> 
> Get IOS FireWall Feauture set, router with the 2 LAN and 2 WAN
> interfaces, and say _get away_ to the hw vendors.
> 
> No doubt, it's possible to enter into IOS if you did not installed access
> lists on the VTY, keep working some extra services (such as router-based
> WWW) or so on; but it do not depend of the firewalls at all... And - if
> you don't need session-level firewall (with the analysing of SMTP content
> for example) IOS FW feature set is very effective solution.
> 
> Aleksei Roudnev, Network Operations Center, Relcom, Moscow
> (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41,
> N 13729 (pager)
> (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
> 
> 
> 

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)





More information about the NANOG mailing list