08-23-2004 10:20 AM
Howdy all,
My colleague and I are in debate over what to do with the fixup protocols in the PIX config. My take on the matter is if we are not using those protocols listed then we should shut it down as they pose a security risk, albiet possibly small. My Colleqgue's take is if you shutdown those fixup protocols you introduce a security hole. Neither of us are experts on the pix. Can anybody set us straight on this? Thanks.
Randy Moore
08-23-2004 09:25 PM
If you don't have ny of a specific protocol going thru the PIX, then I can't see how enabling or disabling the fixup for that protocol is a security risk. Basically what most of the fixups do is provide some sort of upper-layer inspection of each protocol, usually so things like IP addresses stored in the data portion of the packet are NAT'd properly. Again though, if you don't have any of those protocols running then the fixup won't be doing anything.
In my opinion, I'd just leave them on since in the future you may have those protocols running and you'll need the fixup.
08-24-2004 06:01 AM
Thanks for the info.
08-24-2004 09:03 PM
Agreed, leave them on.
If you're using ESMTP, the fixup smtp can cause problems so might need to be turned off.
08-25-2004 05:11 AM
Thanks Shaun,
We had to do that a while back for the store and forward provider... However at the time I didn't know why, I'll have to look up ESMTP. Thanks
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide