Full Disclosure mailing list archives
Sidewinder G2 Thanks and a question or two
From: "Daniel Sichel" <daniels () ponderosatel com>
Date: Wed, 19 Nov 2003 09:09:27 -0800
Thanks to all for the good responses which are, to say the least mildly disturbing. I WAS looking forward to some good night's sleep, but you folks put paid to that! <snip>
They may find a way AROUND it, or socially engineer their way in, sure. Just not THROUGH it.
<snip> Hmmm. Always a disurbing possibility. But in the famous last words of many FORMER network engineers, I don't think my users are that gullible. <snip>
Basically, version 4.1 failed to do actually do HTTP syntax checking
making
the HTTP proxy a generic proxy in function. So all the HTTP protocol violation style attacks weren't blocked at all. Proved it using tools
off
packetstorm. Told SCC about it and proved it to them as well. Then they verified the problem and issued a patch some months later. Make sure those protection features are actually doing what they claim folks. http://www.networkcomputing.com/1106/1106f16.html?ls=NCJS_1106rt mike
This was VERY disturbing. Kind of makes Secure's claim look pretty stupid. Tried it on any other boxes? Apparetntly secure computing expected the web proxy to be in full use. Fortunately, we are a small enough operation to do exactly that. <snip>
Secure Computing claims that their "SecureOS" with type-enforcement and other service protection is not vulnerable to the exploits against BIND and Sendmail, and as such, it is more secure than punching holes in
your
firewall and passing the traffic to internal hosts running vulnerable versions of BIND and Sendmail. I'm not suggesting that SCC is correct in their defense against this claim, but they do have a point.
<snip> I think this is a reasonable claim and your response resonates with me, why not use dnscache or tinydns and qmail? The best they could tell me was the problem was in the way they virtualized the hardware drivers. It makes there OS incompatible with lots of BSD/Linux stuff. I am enough of a techie nerd to know that that makes no sense when you ARE able to run sendmail and BIND. I guess they just don't see this as a big issue because BIND and sendmail run in jails, so what ever process controller they use, just restarts them if a hack kills the process. They seem very confident about the integrity of their jails and told me I had nothing to worry about even if a hacker broke into a root shell in one of them. I am not convinced that this would be, to quote the late great Douglas Addams, "mostly harmless". As part of this project we are looking at TACACS+ or RADIUS in conjunction with Safeword Premier Access for authentication along with some type of centralized logging host running on our internal network under Winblows 2000. Any ideas? Should I put the logging host into it's own subnet, on its own interface and only allow NTP and logging traffic in? Can I do that and block ALL traffic out? My understanding is that syslog traffic runs native as UDP. I am thinking of VPNs from my external router, my firewall, and even potentially my Stratus 1 Clock (I have one onsite because we are a telco. Sometimes life is good). Any ideas? Thanks Dan Sichel, Network Engineer Ponderosa Telephone Company (559) 868-6367 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Sidewinder G2 Thanks and a question or two Daniel Sichel (Nov 19)
- RE: Sidewinder G2 Thanks and a question or two Mike Fratto (Nov 19)