lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: full-disclosure at royds.net (full-disclosure@...ds.net) Subject: Sidewinder G2 Two things. The Sidewinder firewall was written before qmail, Postfix or other secure MTA's existed so it used sendmail as the only existing open source MTA at the time. It would be difficult for most of the customers of Sidewinder to convert ot another MTA after depending on sendmail for a long time. This is the main reason it runs sendmail rather than Qmail or Postfix. The Sidewinder OS is one of the most secure there is and achieves good partitoning of processes from each other. It is designed so that one process being hacked (sendmail for instance) will not cause a breach of security for the system. Proxies like sendmail do not run as root (since it does not deliver mail to any account on the Sidewinder itself) so anyone hacking them gains no further access. This is why it is safer to run it on the Sidewinder rather than a less secure OS like Linux or Solaris. -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Daniel Sichel Sent: November 17, 2003 2:55 PM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] Sidewinder G2 Thanks for the input I have received on safe configurations for the Sidewinder G2. After reading all the responses which pretty universally confirmed my instinct that it would be less than clever to have sendmail running on a firewall, I began to doubt that I had heard the tech guy who recommended it correctly. So I checked the manual which recommends as most secure the following... "Host the DNS and sendmail servers directly on your firewall. The operating system should be better protected against a wide-range of exploits." PlanningGD.PDF from Secure Computing. This represents a very different approach than what was suggested here. Any ideas why? Who is right? BTW, I hope I haven't broken any intellectual property (the other ugly "IP" in our little world) laws by reproducing the quote from the manual. If so I apologize and plead ignorance. It is reporduced here ONLY for educational purposes. Dan Sichel, Network Engineer Ponderosa Telephone Company (559) 868-6367 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists