PIX vs router for small business inbound SMTP protection

Discussion in 'Cisco' started by kenw, Aug 17, 2004.

  1. kenw

    kenw Guest

    I need to protect inbound SMTP ports on small (less than 50 users each)
    business Exchange servers.

    These sites currently run low cost NATwalls, and some people would just
    poke a hole in them with port 25 forwarding. Gives me the heebee-jeebees.
    I want something that understands SMTP well enough to protect the server to
    some extent.

    So far as I can tell, PIX has "fixups", and Cisco routers running the
    firewall feature set have "inspects". They are presented as being
    equivalent, but there's no detail to back that up. Personally, I know
    routers better than PIX, and I respect FFS.

    Dows anyone here understand these products well enough to compare them?

    I have several small business clients that are running simple NATwalls
    right now, and will be looking at running Exchange soon. Currently these
    sites provide no inbound access except via VPN. Clearly, that will have to
    change. I'll need support for inbound SMTP, as well as HTTPS for Outlook
    Web Access.

    I do also need to continue to support remote user access -- no more than a
    few users at a time. I prefer to use Microsoft's VPN client; it's quick
    and easy to configure.

    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    kenw, Aug 17, 2004
    1. Advertisements

  2. kenw

    RM Guest

    I would suggest the PIX even though the SMTP fixup does not support the
    extended SMTP commands( it is supposed to in version 7.0 due out this year)
    The reason for the PIX is the various models. There are the 3 types of 501
    that range from 300 to 995 in cost and they support vpn. If you like the
    Microsoft client you can terminate PPTP on the PIX and use the MS client.
    You can also enable IAS on your MS server and have the VPN clients
    authenticate against the domain or the PIX has an internal user database.
    The PIX will support just about any size business and will grow as needed.

    RM, Aug 18, 2004
    1. Advertisements

  3. kenw

    kenw Guest

    Are you saying that the router with FFS won't do all of things as well? I
    believe it will, and is more flexible. A PIX 501 with 50-user bundle lists
    at $845; a Cisco 831 router lists at $649.

    All Cisco seems to say is that a PIX is simpler and more limited, therefore
    more robust. OK...


    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    kenw, Aug 18, 2004
  4. kenw

    PES Guest

    I too prefer the Pix, but it is less flexible. Neither is going to really
    protect a mail server that well. You really need something that is more of
    a content filter to secure a mail server well. That is unless you trust the
    exposed smtp service and the underlying tcp stack in the os.
    PES, Aug 20, 2004
  5. kenw


    The PIX is a stefull firewall. The ASA (Adaptive Security Algorythem
    ) offers far more in the way of protection.

    CBAC is a SOHO solution for the all in one box concept. It is very
    limited and adds CPU overhead you don't need.
    CISCORUBS, Aug 20, 2004
  6. kenw

    RM Guest

    Actually, yes I am, and here are my reasons:
    1. He is new to Cisco (obviously from the post) and the PIX with PDM is
    much easier to configure and build LAN-toLAN and Client to LAN VPN's.
    2. In his description, there is no need for the flexibility of a router.
    The only thing a PIX will not do is route and he has a bunch of small
    networks with no need to route internally.
    3. The PIX is more flexible with more low cost models, three versions of
    the 501, a 506 and a 515 (all under $3500.00) Have you priced a 2600 with
    IPPLUS,FW,IPSEC feature set? The RAM alone cost as much as a PIX515. With
    the PIX, no matter what site, 10 users or 200 users, the configuration and
    the code is always the same. Much Easier to support, upgrade and maintain.

    I am not against using a router for VPN when it is needed, but in this case
    its not needed.

    RM, Aug 22, 2004
  7. kenw

    kenw Guest

    Actually, I'm not new to Cisco (I presume it's me you're referring to.)
    I've worked with Cisco routers for over 10 years; I'm just not very
    familiar with PIX. And I don't claim to be an expert, expecially where
    firewalls are concerned.

    I'm having trouble comparing PIXes to routers. I know routers. They can
    do a LOT more than just route. They have a lot of protocol-awareness and
    debugging capability. I don't know what makes PIXes good.

    But I have yet to see an decent comparison of PIX and "fixups" to
    IOS/FFS/CBAC. There certainly hasn't been one in this thread. All I see
    so far is people who know one or the other, defending the one they know.

    Note the prices of roughly equivalent router and PIX, that I provided
    previously. YMMV, but it'll be close. So price alone doesn't seen to be a
    determining factor.

    One key question, in my mind, is how well PIXes understand what constitutes
    legitimate SMTP traffic (as opposed to TCP/IP in general). Another is how
    well they interoperate with, and how easy they are to set up for, modern
    Microsoft VPN client software.

    Back to you.

    Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
    Calgary, Alberta, Canada

    kenw, Aug 22, 2004
  8. kenw

    PES Guest

    The routers are currently offering more and more security features.
    Likewise the Pix is offering more and more routing features. The two are
    growing closer together. I for one also believe that there is something to
    be said for sticking to what you are familiar with if the decision comes
    down to a tie.
    One thing that the pix does that I don't think ffs will do is source port
    randomization. Also, the pix, being a firewall, is secure out of the box.
    Therefore it is less susceptible to configuration changes that may make your
    network more vulnerable.
    When you get down to the soho level stuff I agree. 831 is roughly the same
    price as a Pix 501.
    In my opinion in current version the Router will outperform the Pix on this.
    I don't recommend the smtp fixup on the Pix, unless your server does only
    smtp. Pix OS 7 may support esmtp. I have found issues with the smtp
    inspect on the router and the smtp fixup on the pix. I don't think either
    is adequate for protecting an insecure mail server, but the router inspect
    can drop connections based on the number of recipients. My advice is to use
    some sort of application level content filter or make sure you keep your
    mail server in good config and patch.
    I always use the Cisco VPN client with XAUTH to a radius server (included in
    windows). The pix is easier to config with the PDM. However depending on
    your architecture, you may prefer the router for this. The reason being
    that your connection to a pix will only get you behind that single pix. A
    core router terminating the vpn's could net you a connection behind it and
    all pixes or routers at the remote locations. Always keep in mind the rule
    that if a packet goes in one interface, it can never leave that interface.
    PES, Aug 22, 2004
  9. :One key question, in my mind, is how well PIXes understand what constitutes
    :legitimate SMTP traffic (as opposed to TCP/IP in general).

    With all released versions, PIX are very strict about SMTP. It's pretty
    much a minimal subset that is accepted (e.g., no VERIFY), and no ESMTP
    at all. No long recipient lines.

    The next release might support some subset of ESMTP; I haven't seen
    the detailed specs.

    :Another is how
    :well they interoperate with, and how easy they are to set up for, modern
    :Microsoft VPN client software.

    If you only have one external IP address that you are PAT'ing everything
    through, and you are using PPTP as your "modern" client software,
    then the PIX is not going to be able to handle more than one such
    connection at a time (because it doesn't have any way to distinguish
    the different GRE sessions, as GRE has no port numbers.)

    If you have at least as many external IP addresses available as you
    will have simultaneous PPTP sessions, then you can 'global' an IP
    range for NAT'ing purposes, and PPTP will work fine with that.
    However, unless you are using PIX 6.3(3) or later, there is no way to
    "reserve" the global IPs for PPTP, so those ftp/www sessions will
    grab the global IPs before the PPTP sessions. [In 6.3(3) or later,
    you could do policy NAT with a policy ACL matching the PPTP traffic
    and you could associate that policy number with the 'global' that
    had the IP range whilst letting everything else us the PAT'ing
    'global' statement.]

    If you have plenty of available routable IPs, or if by "modern"
    Microsoft VPN client software you refer to IPSec such as is Windows XP,
    then you should be much better off, in theory; I haven't, though,
    tried running XP's IPSec. (Something else for the endless to-do list...)
    Walter Roberson, Aug 22, 2004
  10. kenw

    Frank Fegert Guest


    sorry for interrupting here. I'm particularly interested
    in the following sentence:
    I'm afraid i'll have to do this in the near future. I'd
    prefer a Cisco ACS, which supports this without hassle,
    but customer wants to use M$ IAS (RADIUS) :-(
    I found the "Cisco Secure PIX Firewall 6.x and Cisco VPN
    Client 3.5 for Windows with Microsoft Windows 2000 and
    2003 IAS RADIUS Authentication" dokument, but i'm curious
    to what degree i can put the user/vpngroup information
    on the IAS? From the VPN 3000 i know one can put pretty
    much anything but vpngroup-name and vpngroup-password in
    the ACS. Is this also the case with the PIX resp. IAS?
    Plus is there a reference for the related av-pairs? I
    failed to find those related to the vpngroup. For the IP/
    mask/gateway i would have used the IETF av-pairs listed
    in the ACS docs, is this correct?
    I'd appreciate it, if anyone could provide me a sample
    extended attributes for the IAS.

    Thanks & regards,

    Frank Fegert, Aug 22, 2004
  11. kenw

    RM Guest

    Sorry Ken, I did not read up and realize you were the original poster. Here
    is a link on the SMTP Fixup feature and depending on the type of mail server
    you are protecting in my opinion it works very well. Version 7.0 of code
    due out this year is supposed to support enhanced SMTP. Cisco is also
    supposed to release a 1U system (looks like a 2600) that will be a router,
    firewall and IDS all in one. Not the feature sets on a router, but the true
    actual devices (stateful firewall, inline IDS). It is supposed to be in the
    small to medium market space.


    I am not defending the PIX, I just believe that from the information you
    provided it is the best choice. I have built many VPN networks with routers
    and that is usually my preffered choice. But I prefer to use routers where
    I am building VPN networks that are taking the place of or backing up frame
    or p-t-p networks. When it is client to lan VPN's and small networks I like
    the PIX. If you know routers you will have no problems with the pix.

    Here is a good link for various security information about both the FFS and
    PIX (a little old but still good reading):


    Good luck with the project and if you go with the PIX and need help, please
    feel free to email me any questions.

    RM, Aug 23, 2004
  12. kenw

    kenw Guest

    Hmmm. Well, I want to run an Exchange server inside the firewall. I don't
    want run all SMTP traffic via a specific ISP (which as I understand it
    means I won't be using ESMTP), and I don't want to run MS's ISA server.
    Will it all work?

    It's got me thinking, though: if I only accepted SMTP traffic from my
    local ISP, using ESMTP (I presume) with outbound polling, I wouldn't need
    to open an SMTP port on the firewall, set up a static NAT, etc., and
    probably wouldn't need to worry nearly as much about firewall SMTP
    functionality. IP filters would be a lot more effective in that
    configuration. Hmmmm...

    It wouldn't do much for Outlook Web Access, but I supposed I could require
    VPN connections for that.
    Virtually all of my clients have only one or two routable IPs.

    I've been running Netopia R910s and 3381s as multi-PPTP and IPsec endpoints
    for these for some time. I use IPsec for router-to-router links only --
    because IPsec doesn't deal well with dynamic IPs on remote PCs -- and PPTP
    with MS-CHAPv2 for all remote PC VPNs. These $300 Netopia boxes have no
    difficulty acting as VPN endpoints for multiple simultaneous PPTP sessions,
    so have to wonder about any protocol limitation re: GRE.

    I use Microsoft VPN client (Windows 2000/XP only), which means I can talk
    any user through a VPN setup over the phone, no downloads/installs

    It's hard to believe PIX can't do that. But then, it wasn't that long ago
    IOS couldn't accept DHCP-assigned IP addresses.

    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    kenw, Aug 23, 2004
  13. :Hmmm. Well, I want to run an Exchange server inside the firewall. I don't
    :want run all SMTP traffic via a specific ISP (which as I understand it
    :means I won't be using ESMTP),

    ESMTP has nothing to do with the number of different machines you
    allow to send you email. ESMTP is an extended SMTP protocol, running on the
    same port as SMTP normally would, and whether any particular transaction
    is plain SMTP or the enhanced ESMTP is negotiated between the MTAs.

    For example, when the two ends have negotiated ESMTP, somewhere in the
    MAIL FROM / RCPT TO exchange, as well as specifying the addresses,
    you can [commonly] attach a SIZE= note that specifies the size of the
    message. The MTA can then check the size against each target mailbox,
    and can return status reports indicating which of the mailboxes will
    be able to accept the full message. If none of the target mailboxes
    are able to handle a message that large, then ESMTP would skip sending
    the message.

    On the PIX in any current release, the 'smtp' fixup disallows ESMTP
    and disallows all of the optional SMTP commands -- it only allows a
    very basic machine-to-machine transaction.

    The PIX smtp fixup protects you only to the degree that you do not
    trust your MTA software (e.g., Exchange server) to handle all the
    ESMTP extensions properly, and yet you still trust that once a message
    with basic headers is received by your MTA, that the message is "safe"
    to process. Exchange server is not the securest of software, but
    the number of ESMTP abuses of Exchange is, I would say, much much
    less of a problem than what happens after the message is delivered
    to the user and the message uses an IE exploit to compromise the
    recipient's system. Restricting to plain SMTP doesn't help you
    against those attacks, only against attacks against the ESMTP
    protocol itself.

    I can only think of one -relatively- recent attack that might
    have affected Exchange servers behind a PIX that did not have
    the smtp fixup turned on. I seem to recall (and I haven't checked)
    that the DCOM overflow affected port 25 amongst a long list of others.
    With the smtp fixup turned on, the attacker would at least have to
    go through an SMTP transaction and send the attack in a DATA packet,
    instead of being able to just connect to the port and send a single
    packet to compromise the system.

    If you don't trust Exchange server to handle ESMTP, then the common
    way of dealing with the situation is to put up a secure mail
    relay machine running [say] Free BSD locked down, using qmail
    or sendmail as the MTA. Sanitize/ despam/ whatever at that
    level, and if it passes your tests, forward it on internally
    to the Exchange server. Some of the benefits of ESMTP having
    to do with character set encodings and non-delivery notifications,
    can make the initial setup effort worth-while.
    Walter Roberson, Aug 23, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.