Q

Is there a hole in my Cisco Pix Firewall?

My company recently went from a border manager to a Cisco Pix Firewall. After about a week our outgoing e-mail stopped going out except for at night (incoming and in-house e-mail are not effected). It appears to me someone is sending e-mail from our server. I called our service provider?s tech support, who told me it appeared that anyone could be sending e-mail from our account. I am assuming this means the service provider left a hole...

in my firewall. I have dealt with this provider in the past, so I have a feeling they will deny this happened. Is there a way I can tell if there is a hole in the firewall? Could anything else cause this? If you're allowing e-mail traffic through your firewall, you've likely got a "hole" in it - TCP port 25 for the e-mail protocol SMTP. Unfortunately, this is a necessary evil. There's likely something else going on, so here are a few things to consider doing:

  • Change the terminal and enable passwords on your PIX firewall.
  • Look for old/unused e-mail accounts. Disable or delete any that you find since these can be a source of compromise.
  • Change user passwords on your e-mail server. (You may have to change network passwords in conjunction with this.)
  • Change the administrator password on the e-mail server.
  • Test your e-mail server for SMTP relay at www.abuse.net/relay.html or similar site.
  • Turn off SMTP relay for outside addresses on your email server if possible.
  • Look at your PIX firewall ruleset and make sure the SMTP rules are in place. You should see something similar to:
    conduit permit tcp host PUBLIC_IP_ADDRESS eq smtp any
    conduit permit tcp host MAILSERVER_PRIVATE_IP_ADDRESS eq smtp any
  • Test your systems for vulnerabilities using an external tool. (Note: External port scans aren't enough, so consider using a reputable tool that can dig a little deeper such as QualysGuard .)

If you still have problems with your e-mail server, you may need to bring in an outside consultant to look at your systems for signs of compromise and further vulnerability testing.

This was first published in November 2004
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close