Is there a hole in my Cisco Pix Firewall?

Is there a hole in my Cisco Pix Firewall?

My company recently went from a border manager to a Cisco Pix Firewall. After about a week our outgoing e-mail stopped going out except for at night (incoming and in-house e-mail are not effected). It appears to me someone is sending e-mail from our server. I called our service provider?s tech support, who told me it appeared that anyone could be sending e-mail from our account. I am assuming this means the service provider left a hole in my firewall. I have dealt with this provider in the past, so I have a feeling they will deny this happened. Is there a way I can tell if there is a hole in the firewall? Could anything else cause this?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

If you're allowing e-mail traffic through your firewall, you've likely got a "hole" in it - TCP port 25 for the e-mail protocol SMTP. Unfortunately, this is a necessary evil. There's likely something else going on, so here are a few things to consider doing:
  • Change the terminal and enable passwords on your PIX firewall.
  • Look for old/unused e-mail accounts. Disable or delete any that you find since these can be a source of compromise.
  • Change user passwords on your e-mail server. (You may have to change network passwords in conjunction with this.)
  • Change the administrator password on the e-mail server.
  • Test your e-mail server for SMTP relay at www.abuse.net/relay.html or similar site.
  • Turn off SMTP relay for outside addresses on your email server if possible.
  • Look at your PIX firewall ruleset and make sure the SMTP rules are in place. You should see something similar to:
    conduit permit tcp host PUBLIC_IP_ADDRESS eq smtp any
    conduit permit tcp host MAILSERVER_PRIVATE_IP_ADDRESS eq smtp any
  • Test your systems for vulnerabilities using an external tool. (Note: External port scans aren't enough, so consider using a reputable tool that can dig a little deeper such as QualysGuard .)

If you still have problems with your e-mail server, you may need to bring in an outside consultant to look at your systems for signs of compromise and further vulnerability testing.

This was first published in November 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top