RE: UPDATE: [wcolburnat_private: SMTP relay through checkpoint fire wall]

From: Corey J. Steele (csteele@good-sam.com)
Date: Tue Feb 26 2002 - 08:29:19 PST

Next message: arivanovat_private: "Re: Anti Virus Mailscanners DOS"

Previous message: Trustix Secure Linux Advisor: "TSLSA-2002-0033 - mod_php"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter,

One more thing I was thinking of... wouldn't it make quite a bit of
difference as to what the value of the "proxy_behind" token in
/etc/iscan/intscan.ini is set to?  I've got mine set to no, and have
told InterScan that it is not to act as a proxy but rather it is to pass
proxy requests off to localhost:3128, thus InterScan only scans http
traffic coming to and going from that proxy server (in this case, this
is our parent proxy server, so everything coming from one of the child
proxies goes here first -- to be scanned and to check the parent cache.)

Not sure if this clears it up, but basically I believe this is a
"proper" configuration, furthermore, we've stopped several viruses with
this configuration in place, and it is not suceptible to the CONNECT
flaw that Interscan seems to otherwise be suceptible to.

Best Regards,
Corey

On Mon, 2002-02-25 at 15:50, Peter Bieringer wrote:
> --On Monday, February 25, 2002 03:26:16 PM -0600 "Corey J. Steele"
> <csteele@good-sam.com> wrote:
> 
> > We have VirusWall listening on port 8080, and then sending
> > non-viruslaced requests to a SmartFilter-enabled SQUID proxy.  All
> > systems are Linux based -- most are Red Hat 6.2, with latest
> > applicable patches.  We built squid ourselves to include
> > SmartFilter.
> > 
> > Hopefully this helps... 
> 
> 
> Hmm, will you say that if interscan uses as second stage a squid, the
> interscan HTTPS-proxy is disabled?
> 
> Otherwise following message should be imho displayed after a CONNECT:
>  HTTP/1.0 200 Connection established
>  Proxy-agent: InterScan 2.0
> 
> 
> > [csteele@ws47619 csteele]$ telnet viruswall 8080
> > Trying XXX.XXX.XXX.XXX...
> > Connected to viruswall.
> > Escape character is '^]'.
> > CONNECT mailserver:25 / HTTP/1.0
> >
> > HTTP/1.0 403 Forbidden
> 
> For me it looks like more:
> 
> client -> squid -HTTP-> viruswall -> internet
>                 -CONNECT -> internet
> 
> 
> But this is what I understand you've described:
> 
> client -> interscan -> squid -HTTP->  -> internet
>                              -CONNECT -> internet
> 
> 
> TIA,
>         Peter
-- 
Information Security Analyst
Good Samaritan Society
e-mail: csteele@good-sam.com
voice: (605) 362-3899
PGP Key fingerprint = 564F 2A97 2ADA F492 F34C  8E4A 12AF 9DC3 400E 2DD6

Next message: arivanovat_private: "Re: Anti Virus Mailscanners DOS"
Previous message: Trustix Secure Linux Advisor: "TSLSA-2002-0033 - mod_php"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 03:04:50 PST