Jim Maze <jmazeat_private> wrote: > That's funny. How can the PIX be certified as conforming to any > "Application Level Firewall Protection Profile", when the PIX is not an > application lever firewall? As you know the PIX is based on stateful > packet filtering - not application layer proxies. This is wrong. The PIX has 'protocol fixups' which are application-level filters. I cannot find any documentation on what they do, though. > Here's the problem with the PIX, and any other packet filter - stateful > or not. The darn things don't break the client server connections. Every > network in the world has at least one mail server and one web server. > With a PIX, you have to have an ACL entry that allows port 25 to the > mail server and port 80 and possibly 443 to the web server. The problem > is, any traffic that meets these basic requirements will pass right > through unrestricted. Definitely wrong. Here, for example, is a connection to sendmail via a PIX firewall: <<< 220 SMTP/cmap ready______________________________________________________ >>> HELP <<< 500 Command unrecognized: "XXXX" The PIX is replacing any data it doesn't think we need to know with underlines, (e.g. the sendmail banner), and replacing any commands it doesn't think are necessary with Xs. Cheers Jon -- \/ Jon Ribbens / jonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:30 PDT