...

Intruders have been observed to target specific sites for intrusions by methodically scanning host systems for vulnerabilities. Intruders often use automated probes, i.e., software that scans all host systems connected to a site's network. This is sometimes referred to as probing a site.

...

sendmail is the mail transport software for most UNIX hosts. It is a very large, complex program that has been found repeatedly to contain vulnerabilities that have permitted intruder access to systems that run sendmail.

...

It should be pointed out that even vendor-supported software has such problems and may be even harder to get fixed in a timely fashion.

...

Some sites have instituted policies that deny put and get commands in certain directions; having a firewall that can filter FTP commands is especially useful in such a situation. Some sites have disallowed get commands outbound, thus no users could retrieve information or software from outside sources. Other sites have disallowed put commands outbound, thus no users could store information on FTP servers external to the site. More common has been to allow no put commands inbound, thus no external users can write to FTP servers at the site.

...

Some dual-homed gateway firewalls do not use proxy services but require users to have accounts on the gateway for access to the Internet. This firewall is not recommended, as maintaining multiple accounts on a firewall can lead to user mistakes, which can lead to intruder attacks and break-ins.

...

The application gateway could also be located on the Internet side of the router with no apparent loss in security. Locating the application gateway on the outside may help to reinforce the understanding that it is subject to Internet attacks and should not necessarily be trusted.