Full Disclosure mailing list archives
Re: Sidewinder G2
From: "Michaelmas" <michaelmas () hush ai>
Date: Tue, 18 Nov 2003 12:51:13 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shawn McMahon wrote:
Daniel Sichel wrote:"Host the DNS and sendmail servers directly on your firewall. The
operating system should be better protected against a wide-range of
exploits."Implementing two of the most common targets of exploit sort of eliminates the usefulness of that "better" protection.
Any application proxy firewall is going to face some of these issues. I do agree 100% that I personally would be more comfortable with a application proxy firewall product like Sidewinder if they implemented DNS and SMTP using secure-by-design services rather than using "hardened" BIND and "hardened" Sendmail on a "secure" BSDI-based OS.
Return their product and get your money back.
Secure Computing claims that their "SecureOS" with type-enforcement and other service protection is not vulnerable to the exploits against BIND and Sendmail, and as such, it is more secure than punching holes in your firewall and passing the traffic to internal hosts running vulnerable versions of BIND and Sendmail. I'm not suggesting that SCC is correct in their defense against this claim, but they do have a point. Personally, I would prefer to run a caching DNS service (DJB dnscache, chrooted) on OpenBSD as an edge firewall, both to offer some protection to internal DNS clients, and also to enhance proxy performance on the firewall itself (by caching DNS results locally). Unfortunately, there are no commercial products implementing this combination, and when you're working with major corporations, a home-brew design built on "Open Source" components is a tough sell. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj+6hjkACgkQKo6Jkwn+K0hOegCfT4uFSGvIBLla4mF4+q8hlzxK0msA n0DOhRJXFagc2ZxZ1m9h5TU1srXS =X8F9 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Sidewinder G2, (continued)
- Re: Sidewinder G2 David Maynor (Nov 18)
- RE: Sidewinder G2 Ron DuFresne (Nov 20)
- RE: Sidewinder G2 Mike Fratto (Nov 20)
- RE: Sidewinder G2 Ron DuFresne (Nov 25)
- RE: Sidewinder G2 Mike Fratto (Nov 18)
- RE: Sidewinder G2 Michal Zalewski (Nov 19)
- Re: Sidewinder G2 Valdis . Kletnieks (Nov 18)
- Re: Sidewinder G2 Michael Gale (Nov 18)
- Re: Sidewinder G2 Shawn McMahon (Nov 20)
- Re: Sidewinder G2 Michael Gale (Nov 20)
- RE: Sidewinder G2 Ron DuFresne (Nov 20)