Re: Sidewinder G2 Firewall

[Goetz Von Berlichingen <goetzvonberlichingen () comcast net>]

Daniel Sichel wrote:
> We are in the process of implementing new Sidewinder G2 firewalls.
> So far I have not been able to find any record of successful hacks on
> these things, so I am pretty happy. 
> The downside is the suckers run sendmail. It is in a jail but still...
> Its sendmail. Anybody out there who has substituted Qmail on one of
> these? If not, any advise on what stupid things I can avoid while
> configuring these. I say these because we are in a high availability
> scenario. 

  Haven't played with these in a while.  When we did, they were not our 
primary targets because there was lower-hanging fruit.  No 
implementation I have seen included the servers on the firewall - they 
all filtered to a DMZ with servers - so I don't know how it performs as 
a server.
  Are you purchasing the appliance version or the software to run on 
your hardware?  Either way, the firewall runs on SecureOS, which is 
basically a Mandatory Access Control (MAC) version of BSD.  The research 
which eventually led to SecureOS was done by Earl Boebert, et al, back 
in the early 80s for various Three Letter Agencies (TLAs).  SecureOS 
uses the Honeywell version of Domain Type Enforcement (a standard 
mechanism of secure OSes).  Honeywell added DTE to MULTICS as part of 
the World-Wide Military Comand and Control System (WWMCCS, pronounced 
Wimiks).  The Honeywell variety (as opposed to the Trusted Information 
Systems variety) of DTE later became the basis for SecureComputing's 
SecureOS.
  My team has successfully attacked DTE (but not in the form of a MAC 
OS like SecureOS).  These systems are only as secure as their role 
authentication mechanism.  The bottom line all comes back to the first 
principle of cyberwarfe I proposed at the First Annual IEEE SMC 
Information Assurance Workshop. In all systems, some human or cyber 
entity has the ability and privilege to perform the action the attacker 
wants to perform.  The attacker needs to assume the identity of that entity.
  In your case, if the sendmail program is vulnerable, the attacker 
will be able to do anything that sendmail is able to do.  Yes, that 
limits the attackers' options, but lots of attacks are still available 
to them.  This type of system is more secure than an OS without MAC. 
Since this is the state-of-the-art in secure operating systems, you are 
certainly practicing due diligence.
  Personally, I'd recommend limiting systems to single functions and 
not running the MTA on the firewall.  If you must combine functions, you 
should be able to run anything compatible with BSD.  However, you may 
have to reconfigure domain access policy to accomodate non-standard 
software, which at the least is a pain in the ass and at worst could 
violate warranties and such.

Goetz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html