Ask the Expert

Is there a hole in my Cisco Pix Firewall?

My company recently went from a border manager to a Cisco Pix Firewall. After about a week our outgoing e-mail stopped going out except for at night (incoming and in-house e-mail are not effected). It appears to me someone is sending e-mail from our server. I called our service provider?s tech support, who told me it appeared that anyone could be sending e-mail from our account. I am assuming this means the service provider left a hole in my firewall. I have dealt with this provider in the past, so I have a feeling they will deny this happened. Is there a way I can tell if there is a hole in the firewall? Could anything else cause this?

Requires Free Membership to View

If you're allowing e-mail traffic through your firewall, you've likely got a "hole" in it - TCP port 25 for the e-mail protocol SMTP. Unfortunately, this is a necessary evil. There's likely something else going on, so here are a few things to consider doing:
  • Change the terminal and enable passwords on your PIX firewall.
  • Look for old/unused e-mail accounts. Disable or delete any that you find since these can be a source of compromise.
  • Change user passwords on your e-mail server. (You may have to change network passwords in conjunction with this.)
  • Change the administrator password on the e-mail server.
  • Test your e-mail server for SMTP relay at www.abuse.net/relay.html or similar site.
  • Turn off SMTP relay for outside addresses on your email server if possible.
  • Look at your PIX firewall ruleset and make sure the SMTP rules are in place. You should see something similar to:
    conduit permit tcp host PUBLIC_IP_ADDRESS eq smtp any
    conduit permit tcp host MAILSERVER_PRIVATE_IP_ADDRESS eq smtp any
  • Test your systems for vulnerabilities using an external tool. (Note: External port scans aren't enough, so consider using a reputable tool that can dig a little deeper such as QualysGuard .)

If you still have problems with your e-mail server, you may need to bring in an outside consultant to look at your systems for signs of compromise and further vulnerability testing.

This was first published in November 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: