Sidewinder G2 Thanks and a question or two

["Daniel Sichel" <daniels () ponderosatel com>]

Thanks to all for the good responses which are, to say the least mildly
disturbing. I WAS looking forward to some good night's sleep, but you
folks put paid to that!
<snip>
> They may find a way AROUND it, or
> socially engineer their way in, sure.  Just not THROUGH it.
<snip>
Hmmm. Always a disurbing possibility. But in the famous last words of
many FORMER network engineers, I don't think my users are that gullible.

<snip>
> Basically, version 4.1 failed to do actually do HTTP syntax checking
making
> the HTTP proxy a generic proxy in function. So all the HTTP protocol
> violation style attacks weren't blocked at all. Proved it using tools
off
> packetstorm. Told SCC about it and proved it to them as well. Then they
> verified the problem and issued a patch some months later. 
>
> Make sure those protection features are actually doing what they claim
> folks.
>
> http://www.networkcomputing.com/1106/1106f16.html?ls=NCJS_1106rt
>
> mike

This was VERY disturbing. Kind of makes Secure's claim look pretty
stupid. Tried it on any other boxes? Apparetntly secure computing
expected the web proxy to be in full use. Fortunately, we are a small
enough operation to do exactly that. 


<snip>
> Secure Computing claims that their "SecureOS" with type-enforcement and
> other service protection is not vulnerable to the exploits against BIND
> and Sendmail, and as such, it is more secure than punching holes in
your
> firewall and passing the traffic to internal hosts running vulnerable
> versions of BIND and Sendmail.
>
> I'm not suggesting that SCC is correct in their defense against this
> claim, but they do have a point.
<snip>

I think this is a reasonable claim and your response resonates with me,
why not use dnscache or tinydns and qmail? The best they could tell me
was the problem was in the way they virtualized the hardware drivers. It
makes there OS incompatible with lots of BSD/Linux stuff. I am enough of
a techie nerd to know that that makes no sense when you ARE able to run
sendmail and BIND. I guess they just don't see this as a big issue
because BIND and sendmail run in jails, so what ever process controller
they use, just restarts them if a hack kills the process. They seem very
confident about the integrity of their jails and told me I had nothing
to worry about even if a hacker broke into a root shell in one of them.
I am not convinced that this would be, to quote the late great Douglas
Addams, "mostly harmless".

As part of this project we are looking at TACACS+ or RADIUS in
conjunction with Safeword Premier Access for authentication along with
some type of centralized logging host running on our internal network
under Winblows 2000. Any ideas? Should I put the logging host into it's
own subnet, on its own interface and only allow NTP and logging traffic
in? Can I do that and block ALL traffic out? My understanding is that
syslog traffic runs native as UDP. I am thinking of VPNs from my
external router, my firewall, and even potentially my Stratus 1 Clock (I
have one onsite because we are a telco. Sometimes life is good). Any
ideas?

Thanks

Dan Sichel, Network Engineer
Ponderosa Telephone Company
(559) 868-6367

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html